From 4553a27a926c0eef241e0f081ccbb97e2310beeb Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Tue, 17 Jul 2012 12:59:36 +0200 Subject: [PATCH 01/49] modules/security/pam.nix: add xscreensaver to the list of services --- modules/security/pam.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 4fab7febc710..dc18ffd7d022 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -238,6 +238,7 @@ in { name = "sshd"; } { name = "vlock"; } { name = "xlock"; } + { name = "xscreensaver"; } ]; }; From f43033a3f764261781b065283150700ac2943fc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Wed, 18 Jul 2012 21:50:18 +0200 Subject: [PATCH 02/49] crashdump: it required some kernel options for the nmi_watchdog to work. Now it says at boot, for every core: NMI watchdog: enabled, takes one hw-pmu counter. --- modules/misc/crashdump.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/misc/crashdump.nix b/modules/misc/crashdump.nix index 973abfd93270..98b2140a23d5 100644 --- a/modules/misc/crashdump.nix +++ b/modules/misc/crashdump.nix @@ -54,7 +54,7 @@ in ''; kernelParams = [ "crashkernel=64M" - "nmi_watchdog=1" + "nmi_watchdog=panic" ]; kernelPackages = mkOverride 50 (crashdump.kernelPackages // { kernel = crashdump.kernelPackages.kernel.override @@ -64,6 +64,8 @@ in CRASH_DUMP y DEBUG_INFO y PROC_VMCORE y + LOCKUP_DETECTOR y + HARDLOCKUP_DETECTOR y ''; }); }); From 63742a942e5cbf1d254f89506b382a0524237a3a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 18 Jul 2012 17:08:27 -0400 Subject: [PATCH 03/49] Don't create /var/log/upstart/ unless necessary --- modules/system/upstart/upstart.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/system/upstart/upstart.nix b/modules/system/upstart/upstart.nix index 1bfde9fc60ee..961b3ad3cba2 100644 --- a/modules/system/upstart/upstart.nix +++ b/modules/system/upstart/upstart.nix @@ -487,11 +487,11 @@ in services.dbus.packages = [ upstart ]; system.activationScripts.chownJobLogs = stringAfter ["var"] - (concatMapStrings (job: '' - touch /var/log/upstart/${job.name} - ${optionalString (job.setuid != "") "chown ${job.setuid} /var/log/upstart/${job.name}"} - ${optionalString (job.setgid != "") "chown :${job.setgid} /var/log/upstart/${job.name}"} - '') (attrValues config.jobs)); + (concatMapStrings (job: optionalString (job.setuid != "" || job.setgid != "") '' + touch /var/log/upstart/${job.name} + ${optionalString (job.setuid != "") "chown ${job.setuid} /var/log/upstart/${job.name}"} + ${optionalString (job.setgid != "") "chown :${job.setgid} /var/log/upstart/${job.name}"} + '') (attrValues config.jobs)); }; From b609ff4fcf48b2124d94bf1052c303a36c8cabf1 Mon Sep 17 00:00:00 2001 From: Mathijs Kwik Date: Sat, 21 Jul 2012 17:35:50 +0200 Subject: [PATCH 04/49] allow out-of-tree nixos modules The environment variable "NIXOS_EXTRA_MODULES" is now checked to contain a path to a file similar to modules/module-list.nix. This gives the ability to include nixos modules that are not in the nixos source tree. This can be useful for modules that are still experimental, or which aren't useful for other nixos users. Of course, this was already possible to do this using a forked nixos tree, but with this functionality, you can just rely on the nixos channel, easing things a lot. --- default.nix | 9 ++++++--- modules/security/sudo.nix | 1 + 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/default.nix b/default.nix index fda19c3a149f..ca69f07ef31c 100644 --- a/default.nix +++ b/default.nix @@ -1,12 +1,15 @@ { configuration ? import ./lib/from-env.nix "NIXOS_CONFIG" +, extraModulesPath ? builtins.getEnv "NIXOS_EXTRA_MODULES" , system ? builtins.currentSystem }: let + extraModules = if extraModulesPath == "" then [] else import extraModulesPath; + eval = import ./lib/eval-config.nix { inherit system; - modules = [ configuration ]; + modules = [ configuration ] ++ extraModules; }; inherit (eval) config pkgs; @@ -14,7 +17,7 @@ let # This is for `nixos-rebuild build-vm'. vmConfig = (import ./lib/eval-config.nix { inherit system; - modules = [ configuration ./modules/virtualisation/qemu-vm.nix ]; + modules = [ configuration ./modules/virtualisation/qemu-vm.nix ] ++ extraModules; }).config; # This is for `nixos-rebuild build-vm-with-bootloader'. @@ -24,7 +27,7 @@ let [ configuration ./modules/virtualisation/qemu-vm.nix { virtualisation.useBootLoader = true; } - ]; + ] ++ extraModules; }).config; in diff --git a/modules/security/sudo.nix b/modules/security/sudo.nix index 76c325d8d8f6..aac592619c52 100644 --- a/modules/security/sudo.nix +++ b/modules/security/sudo.nix @@ -35,6 +35,7 @@ in # Environment variables to keep for root and %wheel. Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE Defaults:root,%wheel env_keep+=NIX_PATH + Defaults:root,%wheel env_keep+=NIXOS_EXTRA_MODULES Defaults:root,%wheel env_keep+=TERMINFO_DIRS # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. From 26bf696350fb1dc61be11c2fb8980b8ff3e1de68 Mon Sep 17 00:00:00 2001 From: Mathijs Kwik Date: Sat, 21 Jul 2012 18:30:58 +0200 Subject: [PATCH 05/49] Revert "allow out-of-tree nixos modules" This reverts commit b609ff4fcf48b2124d94bf1052c303a36c8cabf1. It turns out this can just be done using "require". --- default.nix | 9 +++------ modules/security/sudo.nix | 1 - 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/default.nix b/default.nix index ca69f07ef31c..fda19c3a149f 100644 --- a/default.nix +++ b/default.nix @@ -1,15 +1,12 @@ { configuration ? import ./lib/from-env.nix "NIXOS_CONFIG" -, extraModulesPath ? builtins.getEnv "NIXOS_EXTRA_MODULES" , system ? builtins.currentSystem }: let - extraModules = if extraModulesPath == "" then [] else import extraModulesPath; - eval = import ./lib/eval-config.nix { inherit system; - modules = [ configuration ] ++ extraModules; + modules = [ configuration ]; }; inherit (eval) config pkgs; @@ -17,7 +14,7 @@ let # This is for `nixos-rebuild build-vm'. vmConfig = (import ./lib/eval-config.nix { inherit system; - modules = [ configuration ./modules/virtualisation/qemu-vm.nix ] ++ extraModules; + modules = [ configuration ./modules/virtualisation/qemu-vm.nix ]; }).config; # This is for `nixos-rebuild build-vm-with-bootloader'. @@ -27,7 +24,7 @@ let [ configuration ./modules/virtualisation/qemu-vm.nix { virtualisation.useBootLoader = true; } - ] ++ extraModules; + ]; }).config; in diff --git a/modules/security/sudo.nix b/modules/security/sudo.nix index aac592619c52..76c325d8d8f6 100644 --- a/modules/security/sudo.nix +++ b/modules/security/sudo.nix @@ -35,7 +35,6 @@ in # Environment variables to keep for root and %wheel. Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE Defaults:root,%wheel env_keep+=NIX_PATH - Defaults:root,%wheel env_keep+=NIXOS_EXTRA_MODULES Defaults:root,%wheel env_keep+=TERMINFO_DIRS # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. From 3221159f5f24763a2a07cedca658a4ca050b6db5 Mon Sep 17 00:00:00 2001 From: Marc Weber Date: Sat, 21 Jul 2012 19:25:02 +0200 Subject: [PATCH 06/49] fix init-script-builder --- modules/installer/init-script/init-script-builder.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/installer/init-script/init-script-builder.sh b/modules/installer/init-script/init-script-builder.sh index 24128ae9abc9..f091dc8b6c89 100644 --- a/modules/installer/init-script/init-script-builder.sh +++ b/modules/installer/init-script/init-script-builder.sh @@ -1,4 +1,3 @@ - #! @bash@/bin/sh -e shopt -s nullglob @@ -44,7 +43,7 @@ addEntry() { configurationCounter=$((configurationCounter + 1)) - local stage2=$(readlink $path/init) + local stage2=$path/init content="$( echo "#!/bin/sh" From 8bde72d99c7f067e975adaac2409721ac153fb11 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 17 Jul 2012 02:44:03 +0300 Subject: [PATCH 07/49] Mount securityfs needed for AppArmor and some TPM drivers. Should be harmless. --- modules/system/boot/stage-1-init.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/system/boot/stage-1-init.sh b/modules/system/boot/stage-1-init.sh index cc12ccaa738f..175b58a3719c 100644 --- a/modules/system/boot/stage-1-init.sh +++ b/modules/system/boot/stage-1-init.sh @@ -70,6 +70,7 @@ mount -t sysfs none /sys mount -t tmpfs -o "mode=0755,size=@devSize@" none /dev mkdir -p /run mount -t tmpfs -o "mode=0755,size=@runSize@" none /run +mount -t securityfs none /sys/kernel/security # Some console devices, for the interactivity mknod /dev/console c 5 1 From 4549bad2f455df7f63a62a04031311a6e4f58097 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 17 Jul 2012 02:47:41 +0300 Subject: [PATCH 08/49] AppArmor: packaged --- modules/module-list.nix | 1 + modules/security/apparmor.nix | 52 +++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 modules/security/apparmor.nix diff --git a/modules/module-list.nix b/modules/module-list.nix index 1e5ec300df5d..0b139c95141a 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -47,6 +47,7 @@ ./programs/ssmtp.nix ./programs/wvdial.nix ./rename.nix + ./security/apparmor.nix ./security/ca.nix ./security/consolekit.nix ./security/pam.nix diff --git a/modules/security/apparmor.nix b/modules/security/apparmor.nix new file mode 100644 index 000000000000..2e273bf53438 --- /dev/null +++ b/modules/security/apparmor.nix @@ -0,0 +1,52 @@ +{pkgs, config, ...}: +let + cfg = config.security.apparmor; +in +with pkgs.lib; +{ + + ###### interface + + options = { + + security.apparmor = { + + enable = mkOption { + default = false; + description = '' + Enable AppArmor application security system + ''; + }; + + profiles = mkOption { + default = []; + merge = mergeListOption; + description = '' + List of file names of AppArmor profiles. + ''; + }; + + }; + }; + + + ###### implementation + + config = mkIf (cfg.enable) { + + jobs.apparmor = + { startOn = "startup"; + + path = [ pkgs.apparmor ]; + + preStart = concatMapStrings (profile: '' + apparmor_parser -Kv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" + '') cfg.profiles; + + postStop = '' + ''; + }; + + }; + +} From 7ddea025e4da8c63a241cfcb464547cbf4dc85a3 Mon Sep 17 00:00:00 2001 From: Marc Weber Date: Mon, 23 Jul 2012 03:28:21 +0200 Subject: [PATCH 09/49] dont hardcode apache group name when setting permissions for state dir --- modules/services/web-servers/apache-httpd/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index ba02c6ead43f..2eadde36e166 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -595,7 +595,7 @@ in preStart = '' mkdir -m 0750 -p ${mainCfg.stateDir} - chown root.wwwrun ${mainCfg.stateDir} + chown root.${mainCfg.group} ${mainCfg.stateDir} mkdir -m 0700 -p ${mainCfg.logDir} ${optionalString (mainCfg.documentRoot != null) From 4f109c8a3d2dcb67a95404c7c5c0a563277e237b Mon Sep 17 00:00:00 2001 From: Phreedom Date: Mon, 23 Jul 2012 17:18:19 +0300 Subject: [PATCH 10/49] ClamAV: package virus fingerprint database updater. --- modules/misc/ids.nix | 2 + modules/module-list.nix | 1 + modules/services/security/clamav.nix | 80 ++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+) create mode 100644 modules/services/security/clamav.nix diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index 1f5d0d3b5a54..57ff1af2ff6f 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -69,6 +69,7 @@ in unbound = 48; prayer = 49; mpd = 50; + clamav = 51; # When adding a uid, make sure it doesn't match an existing gid. @@ -118,6 +119,7 @@ in dovecot2 = 46; prayer = 49; mpd = 50; + clamav = 51; # When adding a gid, make sure it doesn't match an existing uid. diff --git a/modules/module-list.nix b/modules/module-list.nix index 0b139c95141a..a67f8c2f1335 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -161,6 +161,7 @@ ./services/scheduling/atd.nix ./services/scheduling/cron.nix ./services/scheduling/fcron.nix + ./services/security/clamav.nix ./services/security/frandom.nix ./services/security/tor.nix ./services/security/torsocks.nix diff --git a/modules/services/security/clamav.nix b/modules/services/security/clamav.nix new file mode 100644 index 000000000000..5ccb4927fcb7 --- /dev/null +++ b/modules/services/security/clamav.nix @@ -0,0 +1,80 @@ +{ config, pkgs, ... }: +with pkgs.lib; +let + clamavUser = "clamav"; + stateDir = "/var/lib/clamav"; + clamavGroup = clamavUser; + cfg = config.services.clamav; +in +{ + ###### interface + + options = { + + services.clamav = { + updater = { + enable = mkOption { + default = false; + description = '' + Whether to enable automatic ClamAV virus definitions database updates. + ''; + }; + + frequency = mkOption { + default = 12; + description = '' + Number of database checks per day. + ''; + }; + + config = mkOption { + default = ""; + description = '' + Extra configuration for freshclam. Contents will be added verbatim to the + configuration file. + ''; + }; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.updater.enable { + environment.systemPackages = [ pkgs.clamav ]; + users.extraUsers = singleton + { name = clamavUser; + uid = config.ids.uids.clamav; + description = "ClamAV daemon user"; + home = stateDir; + }; + + users.extraGroups = singleton + { name = clamavGroup; + gid = config.ids.gids.clamav; + }; + + services.clamav.updater.config = '' + DatabaseDirectory ${stateDir} + Foreground yes + Checks ${toString cfg.updater.frequency} + DatabaseMirror database.clamav.net + ''; + + jobs = { + clamav_updater = { + name = "clamav-updater"; + startOn = "started network-interfaces"; + stopOn = "stopping network-interfaces"; + + preStart = '' + mkdir -m 0755 -p ${stateDir} + chown ${clamavUser}:${clamavGroup} ${stateDir} + ''; + exec = "${pkgs.clamav}/bin/freshclam --config-file=${pkgs.writeText "freshclam.conf" cfg.updater.config}"; + }; + }; + + }; + +} \ No newline at end of file From 5a0cf5e7b66693cc939dab1d15278a4682f5a216 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 23 Jul 2012 14:01:10 -0400 Subject: [PATCH 11/49] Use ext4 for VirtualBox images --- modules/virtualisation/virtualbox-image.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/virtualisation/virtualbox-image.nix b/modules/virtualisation/virtualbox-image.nix index c3fbf344bfbc..9c488b6b0396 100644 --- a/modules/virtualisation/virtualbox-image.nix +++ b/modules/virtualisation/virtualbox-image.nix @@ -30,7 +30,7 @@ with pkgs.lib; mknod /dev/vda1 b $MAJOR $MINOR # Create an empty filesystem and mount it. - ${pkgs.e2fsprogs}/sbin/mkfs.ext3 -L nixos /dev/vda1 + ${pkgs.e2fsprogs}/sbin/mkfs.ext4 -L nixos /dev/vda1 ${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda1 mkdir /mnt mount /dev/vda1 /mnt From 47e67f5e9caf22bd9f33047d90e73fdc686acef3 Mon Sep 17 00:00:00 2001 From: Marc Weber Date: Mon, 23 Jul 2012 03:19:02 +0200 Subject: [PATCH 12/49] renaming all occurrences of /var/run/{booted,current}-system in particular those found in docs still keeping old path in modules/config/shells.nix for unkown reason (?) --- doc/manual/man-nixos-rebuild.xml | 2 +- doc/manual/userconfiguration.xml | 16 ++++++++-------- gui/chrome/content/nixos.js | 4 ++-- lib/test-driver/test-driver.pl | 2 +- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/doc/manual/man-nixos-rebuild.xml b/doc/manual/man-nixos-rebuild.xml index 383334d82e1d..ddf4e40be0c2 100644 --- a/doc/manual/man-nixos-rebuild.xml +++ b/doc/manual/man-nixos-rebuild.xml @@ -281,7 +281,7 @@ the Nix manual for details. - /var/run/current-system + /run/current-system A symlink to the currently active system configuration in the Nix store. diff --git a/doc/manual/userconfiguration.xml b/doc/manual/userconfiguration.xml index 2cad256c7421..7c6540caf3a7 100644 --- a/doc/manual/userconfiguration.xml +++ b/doc/manual/userconfiguration.xml @@ -13,20 +13,20 @@ them found both by Compiz and by Compiz Configuration Settings (also in Compiz Fusion distribution). By default they look in Compiz installation path and in home directory. You do not need to track /nix/store manually - everything is already in - /var/run/current-system/sw/share. + /run/current-system/sw/share. $HOME/.compiz/plugins should contain plugins you want to load. All the installed plugins are available in - /var/run/current-system/sw/share/compiz-plugins/compiz/, + /run/current-system/sw/share/compiz-plugins/compiz/, so you can use symlinks to this directory. $HOME/.compiz/metadata should contain metadata (definition of configuration options) for plugins you want to load. All the installed metadata is available in - /var/run/current-system/sw/share/compiz/, + /run/current-system/sw/share/compiz/, so you can use symlinks to this directory. @@ -35,16 +35,16 @@ should be found, but if you run Compiz with GConf configuration (default for X server job for now), you have to link - /var/run/current-system/sw/share/compizconfig/backends/ + /run/current-system/sw/share/compizconfig/backends/ into $HOME/.compizconfig/backends directory. To summarize the above, these are the commands you have to execute - ln -s /var/run/current-system/sw/share/compiz/ $HOME/.compiz/metadata - ln -s /var/run/current-system/sw/share/compiz-plugins/compiz/ $HOME/.compiz/plugins - ln -s /var/run/current-system/sw/share/compizconfig/backends/ $HOME/.compizconfig/backends + ln -s /run/current-system/sw/share/compiz/ $HOME/.compiz/metadata + ln -s /run/current-system/sw/share/compiz-plugins/compiz/ $HOME/.compiz/plugins + ln -s /run/current-system/sw/share/compizconfig/backends/ $HOME/.compizconfig/backends Now you can launch ccsm and configure everything. You should select GConf as a backend in the preferences menu of ccsm @@ -57,7 +57,7 @@ To have pidgin-latex plugin working after installation, you need the following: - Symlink /var/run/current-system/sw/share/pidgin-latex/pidgin-latex.so + Symlink /run/current-system/sw/share/pidgin-latex/pidgin-latex.so to $HOME/.purple/plugins/pidgin-latex.so diff --git a/gui/chrome/content/nixos.js b/gui/chrome/content/nixos.js index 7b45b6c006a5..63a3c16a573f 100644 --- a/gui/chrome/content/nixos.js +++ b/gui/chrome/content/nixos.js @@ -21,8 +21,8 @@ NixOS.prototype = { nixos: "/etc/nixos/nixos", nixpkgs: "/etc/nixos/nixpkgs", config: "/etc/nixos/configuration.nix", - instantiateBin: "/var/run/current-system/sw/bin/nix-instantiate", - optionBin: "/var/run/current-system/sw/bin/nixos-option", + instantiateBin: "/run/current-system/sw/bin/nix-instantiate", + optionBin: "/run/current-system/sw/bin/nixos-option", tmpFile: "nixos-gui", option: null }; diff --git a/lib/test-driver/test-driver.pl b/lib/test-driver/test-driver.pl index 43f74cf404bb..6c95f5ba5176 100644 --- a/lib/test-driver/test-driver.pl +++ b/lib/test-driver/test-driver.pl @@ -135,7 +135,7 @@ sub runTests { # Figure out where to put the *.gcda files so that the # report generator can find the corresponding kernel # sources. - my $kernelDir = $vm->mustSucceed("echo \$(dirname \$(readlink -f /var/run/current-system/kernel))/.build/linux-*"); + my $kernelDir = $vm->mustSucceed("echo \$(dirname \$(readlink -f /run/current-system/kernel))/.build/linux-*"); chomp $kernelDir; my $coverageDir = "/tmp/xchg/coverage-data/$kernelDir"; From 52c97adaba852a612d801332ce84c503680ff497 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Mon, 23 Jul 2012 21:48:21 +0200 Subject: [PATCH 13/49] modules/services/web-servers/apache-httpd: make this module more configurable - The new option 'apacheHttpd' determines the version of the Apache HTTP Server that's being used by this module. The default version is Apache 2.2.x, as before. - The new option 'configFile' allows users specify their own custom config file for the web server instead of being limited to the one that this module generates. --- .../web-servers/apache-httpd/default.nix | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index 2eadde36e166..41cf31e4473a 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -6,7 +6,9 @@ let mainCfg = config.services.httpd; - httpd = pkgs.apacheHttpd.override { mpm = mainCfg.multiProcessingModule; }; + httpd = mainCfg.apacheHttpd; + + httpdConf = mainCfg.configFile; php = pkgs.php.override { apacheHttpd = httpd; }; @@ -280,7 +282,7 @@ let ''; - httpdConf = pkgs.writeText "httpd.conf" '' + confFile = pkgs.writeText "httpd.conf" '' ServerRoot ${httpd} @@ -403,10 +405,29 @@ in "; }; + apacheHttpd = mkOption { + default = pkgs.apacheHttpd.override { mpm = mainCfg.multiProcessingModule; }; + example = "pkgs.apacheHttpd_2_4"; + description = " + Overridable attribute of the Apache HTTP Server package to use. + "; + }; + + configFile = mkOption { + default = confFile; + example = ''pkgs.writeText "httpd.conf" "# my custom config file ...";''; + description = " + Overridable config file to use for Apache. By default, use the + file automatically generated by nixos. + "; + }; + extraConfig = mkOption { default = ""; description = " - These configuration lines will be passed verbatim to the apache config + These configuration lines will be appended to the Apache config + file. Note that this mechanism may not work when + is overridden. "; }; From b3627f6c69795170b96b60cf6b17de5b779de785 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Mon, 23 Jul 2012 22:00:35 +0200 Subject: [PATCH 14/49] modules/services/web-servers/apache-httpd: add apache user to the apache group --- modules/services/web-servers/apache-httpd/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index 41cf31e4473a..7cdbf49763ab 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -559,6 +559,7 @@ in users.extraUsers = singleton { name = mainCfg.user; + group = mainCfg.group; description = "Apache httpd user"; }; From e8e19bbb1faa8cf5201244bc0a1ade0bb111faa3 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Tue, 24 Jul 2012 01:01:48 +0200 Subject: [PATCH 15/49] modules/services/web-servers/apache-httpd: rename 'apacheHttpd' option to 'package' --- modules/services/web-servers/apache-httpd/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index 7cdbf49763ab..cbd245df432b 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -6,7 +6,7 @@ let mainCfg = config.services.httpd; - httpd = mainCfg.apacheHttpd; + httpd = mainCfg.package; httpdConf = mainCfg.configFile; @@ -405,7 +405,7 @@ in "; }; - apacheHttpd = mkOption { + package = mkOption { default = pkgs.apacheHttpd.override { mpm = mainCfg.multiProcessingModule; }; example = "pkgs.apacheHttpd_2_4"; description = " From cb063afcbf371383e3d95e329afedd4eb0543898 Mon Sep 17 00:00:00 2001 From: Phreedom Date: Tue, 24 Jul 2012 10:51:17 +0300 Subject: [PATCH 16/49] F-Prot virus signaure database updater: package --- modules/misc/ids.nix | 2 + modules/module-list.nix | 1 + modules/services/security/fprot.nix | 88 +++++++++++++++++++++++++++++ 3 files changed, 91 insertions(+) create mode 100644 modules/services/security/fprot.nix diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index 57ff1af2ff6f..d1621c0c74ef 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -70,6 +70,7 @@ in prayer = 49; mpd = 50; clamav = 51; + fprot = 52; # When adding a uid, make sure it doesn't match an existing gid. @@ -120,6 +121,7 @@ in prayer = 49; mpd = 50; clamav = 51; + fprot = 52; # When adding a gid, make sure it doesn't match an existing uid. diff --git a/modules/module-list.nix b/modules/module-list.nix index a67f8c2f1335..2e6f77afa1fc 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -162,6 +162,7 @@ ./services/scheduling/cron.nix ./services/scheduling/fcron.nix ./services/security/clamav.nix + ./services/security/fprot.nix ./services/security/frandom.nix ./services/security/tor.nix ./services/security/torsocks.nix diff --git a/modules/services/security/fprot.nix b/modules/services/security/fprot.nix new file mode 100644 index 000000000000..9f1fc4ed6d8b --- /dev/null +++ b/modules/services/security/fprot.nix @@ -0,0 +1,88 @@ +{ config, pkgs, ... }: +with pkgs.lib; +let + fprotUser = "fprot"; + stateDir = "/var/lib/fprot"; + fprotGroup = fprotUser; + cfg = config.services.fprot; +in { + options = { + + services.fprot = { + updater = { + enable = mkOption { + default = false; + description = '' + Whether to enable automatic F-Prot virus definitions database updates. + ''; + }; + + productData = mkOption { + default = "${pkgs.fprot}/opt/f-prot/product.data"; + description = '' + product.data file. Defaults to the one supplied with installation package. + ''; + }; + + frequency = mkOption { + default = 30; + description = '' + Update virus definitions every X minutes. + ''; + }; + + licenseKeyfile = mkOption { + default = "${pkgs.fprot}/opt/f-prot/license.key"; + description = '' + License keyfile. Defaults to the one supplied with installation package. + ''; + }; + + }; + }; + }; + + ###### implementation + + config = mkIf cfg.updater.enable { + environment.systemPackages = [ pkgs.fprot ]; + environment.etc = singleton { + source = "${pkgs.fprot}/opt/f-prot/f-prot.conf"; + target = "f-prot.conf"; + }; + + users.extraUsers = singleton + { name = fprotUser; + uid = config.ids.uids.fprot; + description = "F-Prot daemon user"; + home = stateDir; + }; + + users.extraGroups = singleton + { name = fprotGroup; + gid = config.ids.gids.fprot; + }; + + services.cron.systemCronJobs = [ "*/${toString cfg.updater.frequency} * * * * root start fprot-updater" ]; + + jobs = { + fprot_updater = { + name = "fprot-updater"; + task = true; + + # have to copy fpupdate executable because it insists on storing the virus database in the same dir + preStart = '' + mkdir -m 0755 -p ${stateDir} + chown ${fprotUser}:${fprotGroup} ${stateDir} + cp ${pkgs.fprot}/opt/f-prot/fpupdate ${stateDir} + ln -sf ${cfg.updater.productData} ${stateDir}/product.data + ''; + #setuid = fprotUser; + #setgid = fprotGroup; + exec = "/var/lib/fprot/fpupdate --keyfile ${cfg.updater.licenseKeyfile}"; + }; + }; + + }; + +} \ No newline at end of file From b3b6b8ad609b541749e12ef280d1d94a516e9a1b Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 24 Jul 2012 19:07:03 -0400 Subject: [PATCH 17/49] virtualbox-image.nix: VirtualBox disks are /dev/sda, not /dev/vda --- modules/virtualisation/virtualbox-image.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/virtualisation/virtualbox-image.nix b/modules/virtualisation/virtualbox-image.nix index 9c488b6b0396..f049c5eb348a 100644 --- a/modules/virtualisation/virtualbox-image.nix +++ b/modules/virtualisation/virtualbox-image.nix @@ -78,7 +78,7 @@ with pkgs.lib; ]; boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.device = "/dev/sda"; services.virtualbox.enable = true; } From f07f221f0ee46e64bb8a51e04dec6bade8645cfa Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 24 Jul 2012 19:16:27 -0400 Subject: [PATCH 18/49] Replace grub-menu-builder with a much faster version The old GRUB menu builder script is quite slow, typically taking several seconds. This is a real annoyance since it's run every time you switch to a new configuration. Therefore this patch replaces the Bash script with a much faster Perl script. In a VirtualBox test, the execution time went from 2.7s to 0.1s. The Perl version is also more correct because it uses XML to get the GRUB configuration (through builtins.toXML), so there are no shell escaping issues. The new script currently lacks support for subconfigurations defined through "nesting.children". --- modules/installer/grub/grub-menu-builder.pl | 217 +++++++++++++ modules/installer/grub/grub-menu-builder.sh | 305 ------------------ modules/installer/grub/grub.nix | 22 +- .../activation/switch-to-configuration.sh | 3 +- 4 files changed, 229 insertions(+), 318 deletions(-) create mode 100644 modules/installer/grub/grub-menu-builder.pl delete mode 100644 modules/installer/grub/grub-menu-builder.sh diff --git a/modules/installer/grub/grub-menu-builder.pl b/modules/installer/grub/grub-menu-builder.pl new file mode 100644 index 000000000000..7f0dc15836bc --- /dev/null +++ b/modules/installer/grub/grub-menu-builder.pl @@ -0,0 +1,217 @@ +use strict; +use warnings; +use XML::LibXML; +use File::Basename; +use File::Path; +use File::stat; +use File::Copy; +use IO::File; +use POSIX; +use Cwd; + +my $defaultConfig = $ARGV[1] or die; + +my $dom = XML::LibXML->load_xml(location => $ARGV[0]); + +sub get { my ($name) = @_; return $dom->findvalue("/expr/attrs/attr[\@name = '$name']/*/\@value"); } + +my $grub = get("grub"); +my $grubVersion = int(get("version")); +my $extraConfig = get("extraConfig"); +my $extraPerEntryConfig = get("extraPerEntryConfig"); +my $extraEntries = get("extraEntries"); +my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true"; +my $splashImage = get("splashImage"); +my $configurationLimit = int(get("configurationLimit")); +my $copyKernels = get("copyKernels") eq "true"; +my $timeout = int(get("timeout")); +my $defaultEntry = int(get("default")); + +die "unsupported GRUB version\n" if $grubVersion != 1 && $grubVersion != 2; + +mkpath("/boot/grub", 0, 0700); + + +# Discover whether /boot is on the same filesystem as / and +# /nix/store. If not, then all kernels and initrds must be copied to +# /boot, and all paths in the GRUB config file must be relative to the +# root of the /boot filesystem. `$bootRoot' is the path to be +# prepended to paths under /boot. +my $bootRoot = "/boot"; +if (stat("/")->dev != stat("/boot")->dev) { + $bootRoot = ""; + $copyKernels = 1; +} elsif (stat("/boot")->dev != stat("/nix/store")->dev) { + $copyKernels = 1; +} + + +# Generate the header. +my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n"; + +if ($grubVersion == 1) { + $conf .= " + default $defaultEntry + timeout $timeout + "; + if ($splashImage) { + copy $splashImage, "/boot/background.xpm.gz" or die "cannot copy $splashImage to /boot\n"; + $conf .= "splashimage $bootRoot/background.xpm.gz\n"; + } +} + +else { + copy "$grub/share/grub/unicode.pf2", "/boot/grub/unicode.pf2" or die "cannot copy unicode.pf2 to /boot/grub: $!\n"; + + $conf .= " + if [ -s \$prefix/grubenv ]; then + load_env + fi + + # ‘grub-reboot’ sets a one-time saved entry, which we process here and + # then delete. + if [ \"\${saved_entry}\" ]; then + # The next line *has* to look exactly like this, otherwise KDM's + # reboot feature won't work properly with GRUB 2. + set default=\"\${saved_entry}\" + set saved_entry= + set prev_saved_entry= + save_env saved_entry + save_env prev_saved_entry + set timeout=1 + else + set default=$defaultEntry + set timeout=$timeout + fi + + if loadfont $bootRoot/grub/unicode.pf2; then + set gfxmode=640x480 + insmod gfxterm + insmod vbe + terminal_output gfxterm + fi + "; + + if ($splashImage) { + # FIXME: GRUB 1.97 doesn't resize the background image if it + # doesn't match the video resolution. + copy $splashImage, "/boot/background.png" or die "cannot copy $splashImage to /boot\n"; + $conf .= " + insmod png + if background_image $bootRoot/background.png; then + set color_normal=white/black + set color_highlight=black/white + else + set menu_color_normal=cyan/blue + set menu_color_highlight=white/blue + fi + "; + } +} + +$conf .= "$extraConfig\n"; + + +# Generate the menu entries. +my $curEntry = 0; +$conf .= "\n"; + +my %copied; +mkpath("/boot/kernels", 0, 0755) if $copyKernels; + +sub copyToKernelsDir { + my ($path) = @_; + return $path unless $copyKernels; + $path =~ /\/nix\/store\/(.*)/ or die; + my $name = $1; $name =~ s/\//-/g; + my $dst = "/boot/kernels/$name"; + # Don't copy the file if $dst already exists. This means that we + # have to create $dst atomically to prevent partially copied + # kernels or initrd if this script is ever interrupted. + if (! -e $dst) { + my $tmp = "$dst.tmp"; + copy $path, $tmp or die "cannot copy $path to $tmp\n"; + rename $tmp, $dst or die "cannot rename $tmp to $dst\n"; + } + $copied{$dst} = 1; + return "$bootRoot/kernels/$name"; +} + +sub addEntry { + my ($name, $path) = @_; + return if $curEntry++ > $configurationLimit; + return unless -e "$path/kernel" && -e "$path/initrd"; + + my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel")); + my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd")); + my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen")) : undef; + + # FIXME: $confName + + my $kernelParams = + "systemConfig=" . Cwd::abs_path($path) . " " . + "init=" . Cwd::abs_path("$path/init") . " " . + join " ", IO::File->new("$path/kernel-params")->getlines; + my $xenParams = $xen && -e "$path/xen-params" ? join " ", IO::File->new("$path/xen-params")->getlines : ""; + + if ($grubVersion == 1) { + $conf .= "title $name\n"; + $conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig; + $conf .= " kernel $xen $xenParams\n" if $xen; + $conf .= " " . ($xen ? "module" : "kernel") . " $kernel $kernelParams\n"; + $conf .= " " . ($xen ? "module" : "initrd") . " $initrd\n\n"; + } else { + $conf .= "menuentry \"$name\" {\n"; + $conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig; + $conf .= " multiboot $xen $xenParams\n" if $xen; + $conf .= " " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n"; + $conf .= " " . ($xen ? "module" : "initrd") . " $initrd\n"; + $conf .= "}\n\n"; + } +} + + +# Add default entries. +$conf .= "$extraEntries\n" if $extraEntriesBeforeNixOS; + +addEntry("NixOS - Default", $defaultConfig); + +$conf .= "$extraEntries\n" unless $extraEntriesBeforeNixOS; + + +# Add entries for all previous generations of the system profile. +$conf .= "submenu \"NixOS - Old configurations\" {\n" if $grubVersion == 2; + +sub nrFromGen { my ($x) = @_; $x =~ /system-(.*)-link/; return $1; } + +my @links = sort + { nrFromGen($b) <=> nrFromGen($a) } + (glob "/nix/var/nix/profiles/system-*-link"); + +foreach my $link (@links) { + my $date = strftime("%F", localtime(lstat($link)->mtime)); + my $version = + -e "$link/nixos-version" + ? IO::File->new("$link/nixos-version")->getline + : basename((glob(dirname(Cwd::abs_path("$link/kernel")) . "/lib/modules/*"))[0]); + addEntry("NixOS - Configuration " . nrFromGen($link) . " ($date - $version)", $link); +} + +$conf .= "}\n" if $grubVersion == 2; + + +# Atomically update the GRUB config. +my $confFile = $grubVersion == 1 ? "/boot/grub/menu.lst" : "/boot/grub/grub.cfg"; +my $tmpFile = $confFile . ".tmp"; +open CONF, ">$tmpFile" or die "cannot open $tmpFile for writing\n"; +print CONF $conf or die; +close CONF; +rename $tmpFile, $confFile or die "cannot rename $tmpFile to $confFile\n"; + + +# Remove obsolete files from /boot/kernels. +foreach my $fn (glob "/boot/kernels/*") { + next if defined $copied{$fn}; + print STDERR "removing obsolete file $fn\n"; + unlink $fn; +} diff --git a/modules/installer/grub/grub-menu-builder.sh b/modules/installer/grub/grub-menu-builder.sh deleted file mode 100644 index f0e9fdb288c7..000000000000 --- a/modules/installer/grub/grub-menu-builder.sh +++ /dev/null @@ -1,305 +0,0 @@ -#! @bash@/bin/sh -e - -shopt -s nullglob - -export PATH=/empty -for i in @path@; do PATH=$PATH:$i/bin; done - -if test $# -ne 1; then - echo "Usage: grub-menu-builder.sh DEFAULT-CONFIG" - exit 1 -fi - -grubVersion="@version@" -defaultConfig="$1" - -case "$grubVersion" in - 1|2) - echo "updating GRUB $grubVersion menu..." - ;; - *) - echo "Unsupported GRUB version \`$grubVersion'" >&2 - echo "Supported versions are \`1' (GRUB Legacy) and \`2' (GRUB 1.9x)." >&2 - exit 1 - ;; -esac - - -# Discover whether /boot is on the same filesystem as / and -# /nix/store. If not, then all kernels and initrds must be copied to -# /boot, and all paths in the GRUB config file must be relative to the -# root of the /boot filesystem. `$bootRoot' is the path to be -# prepended to paths under /boot. -if [ "$(stat -c '%D' /.)" != "$(stat -c '%D' /boot/.)" ]; then - bootRoot= - copyKernels=1 -elif [ "$(stat -c '%D' /boot/.)" != "$(stat -c '%D' /nix/store/.)" ]; then - bootRoot=/boot - copyKernels=1 -else - bootRoot=/boot - copyKernels="@copyKernels@" # user can override in the NixOS config -fi - - -prologue() { - case "$grubVersion" in - 1) - cat > "$1" << GRUBEND -# Automatically generated. DO NOT EDIT THIS FILE! -default @default@ -timeout @timeout@ -GRUBEND - if [ -n "@splashImage@" ]; then - cp -f "@splashImage@" /boot/background.xpm.gz - echo "splashimage $bootRoot/background.xpm.gz" >> "$1" - fi - ;; - 2) - cp -f @grub@/share/grub/unicode.pf2 /boot/grub/unicode.pf2 - cat > "$1" <> "$1" <-/file to --. -cleanName() { - local path="$1" - echo "$path" | sed 's|^/nix/store/||' | sed 's|/|-|g' -} - - -# Copy a file from the Nix store to /boot/kernels. -declare -A filesCopied - -copyToKernelsDir() { - local src="$1" - local p="kernels/$(cleanName $src)" - local dst="/boot/$p" - # Don't copy the file if $dst already exists. This means that we - # have to create $dst atomically to prevent partially copied - # kernels or initrd if this script is ever interrupted. - if ! test -e $dst; then - local dstTmp=$dst.tmp.$$ - cp "$src" "$dstTmp" - mv $dstTmp $dst - fi - filesCopied[$dst]=1 - result="$bootRoot/$p" -} - - -# Add an entry for a configuration to the Grub menu, and if -# appropriate, copy its kernel and initrd to /boot/kernels. -addEntry() { - local name="$1" - local path="$2" - local shortSuffix="$3" - - configurationCounter=$((configurationCounter + 1)) - if test $configurationCounter -gt @configurationLimit@; then - return - fi - - if ! test -e $path/kernel -a -e $path/initrd; then - return - fi - - local kernel=$(readlink -f $path/kernel) - local initrd=$(readlink -f $path/initrd) - local xen=$([ -f $path/xen.gz ] && readlink -f $path/xen.gz) - - if test "$path" = "$defaultConfig"; then - cp "$kernel" /boot/nixos-kernel - cp "$initrd" /boot/nixos-initrd - cp "$(readlink -f "$path/init")" /boot/nixos-init - case "$grubVersion" in - 1) - cat > /boot/nixos-grub-config < /boot/nixos-grub-config </dev/null || true) - if test -n "$confName"; then - name="$confName $3" - fi - - local kernelParams="systemConfig=$(readlink -f $path) init=$(readlink -f $path/init) $(cat $path/kernel-params)" - local xenParams="$([ -n "$xen" ] && cat $path/xen-params)" - - case "$grubVersion" in - 1) - cat >> "$tmp" << GRUBEND -title $name - @extraPerEntryConfig@ - ${xen:+kernel $xen $xenParams} - $(if [ -z "$xen" ]; then echo kernel; else echo module; fi) $kernel $kernelParams - $(if [ -z "$xen" ]; then echo initrd; else echo module; fi) $initrd -GRUBEND - ;; - 2) - cat >> "$tmp" << GRUBEND -menuentry "$name" { - @extraPerEntryConfig@ - ${xen:+multiboot $xen $xenParams} - $(if [ -z "$xen" ]; then echo linux; else echo module; fi) $kernel $kernelParams - $(if [ -z "$xen" ]; then echo initrd; else echo module; fi) $initrd -} -GRUBEND - ;; - esac -} - - -if test -n "$copyKernels"; then - mkdir -p /boot/kernels -fi - -@extraPrepareConfig@ - -# Additional entries specified verbatim by the configuration. -extraEntries=`cat <> $tmp <> $tmp -fi - -addEntry "NixOS - Default" $defaultConfig "" - -if test -z "@extraEntriesBeforeNixOS@"; then - echo "$extraEntries" >> $tmp -fi - -# Add all generations of the system profile to the menu, in reverse -# (most recent to least recent) order. -for link in $((ls -d $defaultConfig/fine-tune/* ) | sort -n); do - date=$(stat --printf="%y\n" $link | sed 's/\..*//') - addEntry "NixOS - variation" $link "" -done - -if [ "$grubVersion" = 2 ]; then - cat >> $tmp <> $tmp < Date: Tue, 24 Jul 2012 19:22:19 -0400 Subject: [PATCH 19/49] =?UTF-8?q?Pass=20the=20=E2=80=98--recheck=E2=80=99?= =?UTF-8?q?=20flag=20to=20grub-install?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/system/activation/switch-to-configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/activation/switch-to-configuration.sh b/modules/system/activation/switch-to-configuration.sh index 244bd9e72a5e..5958df1ed483 100644 --- a/modules/system/activation/switch-to-configuration.sh +++ b/modules/system/activation/switch-to-configuration.sh @@ -36,7 +36,7 @@ if [ "$action" = "switch" -o "$action" = "boot" ]; then for dev in @grubDevices@; do if [ "$dev" != nodev ]; then echo "installing the GRUB bootloader on $dev..." - @grub@/sbin/grub-install "$(readlink -f "$dev")" --no-floppy + @grub@/sbin/grub-install --recheck "$(readlink -f "$dev")" --no-floppy fi done echo "$newGrubVersion" > /boot/grub/version From fb15b1894e832c8a1820e36791ac92c404bc29bc Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 24 Jul 2012 19:27:16 -0400 Subject: [PATCH 20/49] Add missing progress message --- modules/installer/grub/grub-menu-builder.pl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/installer/grub/grub-menu-builder.pl b/modules/installer/grub/grub-menu-builder.pl index 7f0dc15836bc..27c923a279a4 100644 --- a/modules/installer/grub/grub-menu-builder.pl +++ b/modules/installer/grub/grub-menu-builder.pl @@ -29,6 +29,8 @@ my $defaultEntry = int(get("default")); die "unsupported GRUB version\n" if $grubVersion != 1 && $grubVersion != 2; +print STDERR "updating GRUB $grubVersion menu...\n"; + mkpath("/boot/grub", 0, 0700); From a0721ad2b3167f7f02b7af61709c646d6b16ee47 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 24 Jul 2012 22:04:28 -0400 Subject: [PATCH 21/49] stage-1-init: Use mount --move to move /sys etc. to the target root This fixes warnings about /sys/kernel/security during shutdown and cleans up /proc/mounts. --- modules/system/boot/stage-1-init.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/system/boot/stage-1-init.sh b/modules/system/boot/stage-1-init.sh index 175b58a3719c..112d3798aec5 100644 --- a/modules/system/boot/stage-1-init.sh +++ b/modules/system/boot/stage-1-init.sh @@ -362,10 +362,10 @@ fi mkdir -m 0755 -p $targetRoot/proc $targetRoot/sys $targetRoot/dev $targetRoot/run -mount --bind /proc $targetRoot/proc -mount --bind /sys $targetRoot/sys -mount --bind /dev $targetRoot/dev -mount --bind /run $targetRoot/run +mount --move /proc $targetRoot/proc +mount --move /sys $targetRoot/sys +mount --move /dev $targetRoot/dev +mount --move /run $targetRoot/run exec switch_root "$targetRoot" "$stage2Init" From be4c4d79cf7799dcf5d8efd029433379477f77e4 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 24 Jul 2012 22:37:16 -0400 Subject: [PATCH 22/49] grub-menu-builder: GRUB now installs unicode.pf2 automatically --- modules/installer/grub/grub-menu-builder.pl | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/installer/grub/grub-menu-builder.pl b/modules/installer/grub/grub-menu-builder.pl index 27c923a279a4..6ac55f3b7afe 100644 --- a/modules/installer/grub/grub-menu-builder.pl +++ b/modules/installer/grub/grub-menu-builder.pl @@ -63,8 +63,6 @@ if ($grubVersion == 1) { } else { - copy "$grub/share/grub/unicode.pf2", "/boot/grub/unicode.pf2" or die "cannot copy unicode.pf2 to /boot/grub: $!\n"; - $conf .= " if [ -s \$prefix/grubenv ]; then load_env @@ -86,7 +84,7 @@ else { set timeout=$timeout fi - if loadfont $bootRoot/grub/unicode.pf2; then + if loadfont $bootRoot/grub/fonts/unicode.pf2; then set gfxmode=640x480 insmod gfxterm insmod vbe From 1b743526bdb3e1bd231a378597f12133ea8fb320 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 Jul 2012 09:27:51 -0400 Subject: [PATCH 23/49] grub.nix: Handle null values http://hydra.nixos.org/build/2894714 --- modules/installer/grub/grub.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/installer/grub/grub.nix b/modules/installer/grub/grub.nix index c4bb3bd16cb3..3a76e08f26ad 100644 --- a/modules/installer/grub/grub.nix +++ b/modules/installer/grub/grub.nix @@ -8,9 +8,11 @@ let grub = if cfg.version == 1 then pkgs.grub else pkgs.grub2; + f = x: if x == null then "" else "" + x; + grubConfig = pkgs.writeText "grub-config.xml" (builtins.toXML - { splashImage = "" + config.boot.loader.grub.splashImage; - grub = "" + grub; + { splashImage = f config.boot.loader.grub.splashImage; + grub = f grub; inherit (config.boot.loader.grub) version extraConfig extraPerEntryConfig extraEntries extraEntriesBeforeNixOS configurationLimit copyKernels timeout From b15e1fbb08eb94534ccc1aa8717816a042b260b8 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 Jul 2012 10:47:32 -0400 Subject: [PATCH 24/49] Boot loader refactoring MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Renamed system.build.menuBuilder to system.build.installBootLoader. - ‘install-grub.pl’ (formerly grub-menu-builder.pl) now generates the GRUB menu *and* installs GRUB (if necessary). - ‘switch-to-configuration.sh’ has no boot loader specific knowledge anymore. It just calls installBootLoader. --- modules/installer/cd-dvd/iso-image.nix | 1 - .../cd-dvd/system-tarball-fuloong2f.nix | 3 -- .../cd-dvd/system-tarball-sheevaplug.nix | 3 -- .../installer/efi-boot-stub/efi-boot-stub.nix | 4 +- .../generations-dir/generations-dir.nix | 4 +- modules/installer/grub/grub.nix | 7 ++-- .../{grub-menu-builder.pl => install-grub.pl} | 39 +++++++++++++++---- .../activation/switch-to-configuration.sh | 28 +------------ modules/system/activation/top-level.nix | 21 ++-------- 9 files changed, 43 insertions(+), 67 deletions(-) rename modules/installer/grub/{grub-menu-builder.pl => install-grub.pl} (84%) diff --git a/modules/installer/cd-dvd/iso-image.nix b/modules/installer/cd-dvd/iso-image.nix index c1094daa49fa..4f87f29f2e92 100644 --- a/modules/installer/cd-dvd/iso-image.nix +++ b/modules/installer/cd-dvd/iso-image.nix @@ -168,7 +168,6 @@ in boot.loader.grub.enable = false; # !!! Hack - attributes expected by other modules. - system.build.menuBuilder = "true"; system.boot.loader.kernelFile = "bzImage"; environment.systemPackages = [ pkgs.grub2 ]; diff --git a/modules/installer/cd-dvd/system-tarball-fuloong2f.nix b/modules/installer/cd-dvd/system-tarball-fuloong2f.nix index 5a23a394f7f7..5b6e0036639b 100644 --- a/modules/installer/cd-dvd/system-tarball-fuloong2f.nix +++ b/modules/installer/cd-dvd/system-tarball-fuloong2f.nix @@ -170,9 +170,6 @@ in boot.loader.generationsDir.enable = false; system.boot.loader.kernelFile = "vmlinux"; - # Needed for nixos to evaluate - system.build.menuBuilder = "true"; - nixpkgs.config = { platform = pkgs.platforms.fuloong2f_n32; }; diff --git a/modules/installer/cd-dvd/system-tarball-sheevaplug.nix b/modules/installer/cd-dvd/system-tarball-sheevaplug.nix index 24e7a0063149..f53079ecd9b0 100644 --- a/modules/installer/cd-dvd/system-tarball-sheevaplug.nix +++ b/modules/installer/cd-dvd/system-tarball-sheevaplug.nix @@ -177,9 +177,6 @@ in services.ttyBackgrounds.enable = false; jobs.openssh.startOn = pkgs.lib.mkOverrideTemplate 50 {} ""; - # Needed for nixos to evaluate - system.build.menuBuilder = "true"; - nixpkgs.config = { platform = pkgs.platforms.sheevaplug; }; diff --git a/modules/installer/efi-boot-stub/efi-boot-stub.nix b/modules/installer/efi-boot-stub/efi-boot-stub.nix index 1ca3cb0001eb..a4e0ebd9845f 100644 --- a/modules/installer/efi-boot-stub/efi-boot-stub.nix +++ b/modules/installer/efi-boot-stub/efi-boot-stub.nix @@ -123,9 +123,7 @@ in system = mkIf (config.boot.loader.efiBootStub.enable && (assert (config.boot.kernelPackages.kernel.features ? efiBootStub && config.boot.kernelPackages.kernel.features.efiBootStub); true)) { - build = { - menuBuilder = efiBootStubBuilder; - }; + build.installBootLoader = efiBootStubBuilder; boot.loader.id = "efiBootStub"; boot.loader.kernelFile = platform.kernelTarget; }; diff --git a/modules/installer/generations-dir/generations-dir.nix b/modules/installer/generations-dir/generations-dir.nix index db9fa32c55a9..b67cf7e56e73 100644 --- a/modules/installer/generations-dir/generations-dir.nix +++ b/modules/installer/generations-dir/generations-dir.nix @@ -63,9 +63,7 @@ in ]; system = mkIf config.boot.loader.generationsDir.enable { - build = { - menuBuilder = generationsDirBuilder; - }; + build.installBootLoader = generationsDirBuilder; boot.loader.id = "generationsDir"; boot.loader.kernelFile = platform.kernelTarget; }; diff --git a/modules/installer/grub/grub.nix b/modules/installer/grub/grub.nix index 3a76e08f26ad..0a9b374cc60c 100644 --- a/modules/installer/grub/grub.nix +++ b/modules/installer/grub/grub.nix @@ -13,10 +13,11 @@ let grubConfig = pkgs.writeText "grub-config.xml" (builtins.toXML { splashImage = f config.boot.loader.grub.splashImage; grub = f grub; + fullVersion = (builtins.parseDrvName config.system.build.grub.name).version; inherit (config.boot.loader.grub) version extraConfig extraPerEntryConfig extraEntries extraEntriesBeforeNixOS configurationLimit copyKernels timeout - default; + default devices; }); in @@ -199,9 +200,9 @@ in system.build = mkAssert (cfg.devices != []) "You must set the ‘boot.loader.grub.device’ option to make the system bootable." - { menuBuilder = + { installBootLoader = "PERL5LIB=${makePerlPath [ pkgs.perlPackages.XMLLibXML pkgs.perlPackages.XMLSAX ]} " + - "${pkgs.perl}/bin/perl ${./grub-menu-builder.pl} ${grubConfig}"; + "${pkgs.perl}/bin/perl ${./install-grub.pl} ${grubConfig}"; inherit grub; }; diff --git a/modules/installer/grub/grub-menu-builder.pl b/modules/installer/grub/install-grub.pl similarity index 84% rename from modules/installer/grub/grub-menu-builder.pl rename to modules/installer/grub/install-grub.pl index 6ac55f3b7afe..76fa71c827fd 100644 --- a/modules/installer/grub/grub-menu-builder.pl +++ b/modules/installer/grub/install-grub.pl @@ -5,7 +5,6 @@ use File::Basename; use File::Path; use File::stat; use File::Copy; -use IO::File; use POSIX; use Cwd; @@ -15,6 +14,19 @@ my $dom = XML::LibXML->load_xml(location => $ARGV[0]); sub get { my ($name) = @_; return $dom->findvalue("/expr/attrs/attr[\@name = '$name']/*/\@value"); } +sub readFile { + my ($fn) = @_; local $/ = undef; + open FILE, "<$fn" or return undef; my $s = ; close FILE; + local $/ = "\n"; chomp $s; return $s; +} + +sub writeFile { + my ($fn, $s) = @_; + open FILE, ">$fn" or die "cannot create $fn: $!\n"; + print FILE $s or die; + close FILE or die; +} + my $grub = get("grub"); my $grubVersion = int(get("version")); my $extraConfig = get("extraConfig"); @@ -151,8 +163,8 @@ sub addEntry { my $kernelParams = "systemConfig=" . Cwd::abs_path($path) . " " . "init=" . Cwd::abs_path("$path/init") . " " . - join " ", IO::File->new("$path/kernel-params")->getlines; - my $xenParams = $xen && -e "$path/xen-params" ? join " ", IO::File->new("$path/xen-params")->getlines : ""; + readFile("$path/kernel-params"); + my $xenParams = $xen && -e "$path/xen-params" ? readFile("$path/xen-params") : ""; if ($grubVersion == 1) { $conf .= "title $name\n"; @@ -192,7 +204,7 @@ foreach my $link (@links) { my $date = strftime("%F", localtime(lstat($link)->mtime)); my $version = -e "$link/nixos-version" - ? IO::File->new("$link/nixos-version")->getline + ? readFile("$link/nixos-version") : basename((glob(dirname(Cwd::abs_path("$link/kernel")) . "/lib/modules/*"))[0]); addEntry("NixOS - Configuration " . nrFromGen($link) . " ($date - $version)", $link); } @@ -203,9 +215,7 @@ $conf .= "}\n" if $grubVersion == 2; # Atomically update the GRUB config. my $confFile = $grubVersion == 1 ? "/boot/grub/menu.lst" : "/boot/grub/grub.cfg"; my $tmpFile = $confFile . ".tmp"; -open CONF, ">$tmpFile" or die "cannot open $tmpFile for writing\n"; -print CONF $conf or die; -close CONF; +writeFile($tmpFile, $conf); rename $tmpFile, $confFile or die "cannot rename $tmpFile to $confFile\n"; @@ -215,3 +225,18 @@ foreach my $fn (glob "/boot/kernels/*") { print STDERR "removing obsolete file $fn\n"; unlink $fn; } + + +# Install GRUB if the version changed from the last time we installed +# it. FIXME: shouldn't we reinstall if ‘devices’ changed? +my $prevVersion = readFile("/boot/grub/version") // ""; +if (($ENV{'NIXOS_INSTALL_GRUB'} // "") eq "1" || get("fullVersion") ne $prevVersion) { + foreach my $dev ($dom->findnodes('/expr/attrs/attr[@name = "devices"]/list/string/@value')) { + $dev = $dev->findvalue(".") or die; + next if $dev eq "nodev"; + print STDERR "installing the GRUB $grubVersion boot loader on $dev...\n"; + system("$grub/sbin/grub-install", "--recheck", Cwd::abs_path($dev)) == 0 + or die "$0: installation of GRUB on $dev failed\n"; + } + writeFile("/boot/grub/version", get("fullVersion")); +} diff --git a/modules/system/activation/switch-to-configuration.sh b/modules/system/activation/switch-to-configuration.sh index 5958df1ed483..fea0b05ef34f 100644 --- a/modules/system/activation/switch-to-configuration.sh +++ b/modules/system/activation/switch-to-configuration.sh @@ -23,32 +23,8 @@ fi # Install or update the bootloader. if [ "$action" = "switch" -o "$action" = "boot" ]; then - - if [ "@bootLoader@" = "grub" ]; then - - @menuBuilder@ @out@ - - # If the GRUB version has changed, then force a reinstall. - oldGrubVersion="$(cat /boot/grub/version 2>/dev/null || true)" - newGrubVersion="@grubVersion@" - - if [ "$NIXOS_INSTALL_GRUB" = 1 -o "$oldGrubVersion" != "$newGrubVersion" ]; then - for dev in @grubDevices@; do - if [ "$dev" != nodev ]; then - echo "installing the GRUB bootloader on $dev..." - @grub@/sbin/grub-install --recheck "$(readlink -f "$dev")" --no-floppy - fi - done - echo "$newGrubVersion" > /boot/grub/version - fi - - elif [ "@bootLoader@" = "generationsDir" ]; then - @menuBuilder@ @out@ - elif [ "@bootLoader@" = "efiBootStub" ]; then - @menuBuilder@ @out@ - else - echo "Warning: don't know how to make this configuration bootable; please enable a boot loader." 1>&2 - fi + + @installBootLoader@ @out@ if [ -n "@initScriptBuilder@" ]; then @initScriptBuilder@ @out@ diff --git a/modules/system/activation/top-level.nix b/modules/system/activation/top-level.nix index 3edc92d502cc..0e1a9a3d2adc 100644 --- a/modules/system/activation/top-level.nix +++ b/modules/system/activation/top-level.nix @@ -101,9 +101,6 @@ let ln -s ${kernelPath} $out/kernel ln -s ${config.system.modulesTree} $out/kernel-modules - if [ -n "$grub" ]; then - ln -s $grub $out/grub - fi ln -s ${config.system.build.initialRamdisk}/initrd $out/initrd @@ -152,7 +149,9 @@ let inherit children; kernelParams = config.boot.kernelParams ++ config.boot.extraKernelParams; - menuBuilder = config.system.build.menuBuilder or "true"; + installBootLoader = + config.system.build.installBootLoader + or "echo 'Warning: don't know how to make this configuration bootable; please enable a boot loader.' 1>&2; true"; initScriptBuilder = config.system.build.initScriptBuilder; activationScript = config.system.activationScripts.script; nixosVersion = config.system.nixosVersion; @@ -176,20 +175,6 @@ let config.system.build.upstart # for initctl ]; - # Boot loaders - bootLoader = config.system.boot.loader.id; - grub = - if config.boot.loader.grub.enable - then config.system.build.grub - else null; - grubVersion = - if config.boot.loader.grub.enable - then (builtins.parseDrvName config.system.build.grub.name).version - else ""; - grubDevices = - let - wrapQuotes = s: "\"" + s + "\""; - in map wrapQuotes config.boot.loader.grub.devices; configurationName = config.boot.loader.grub.configurationName; }; From 8b91a5f2ff2f5489ff5e06ffd071341ae1452781 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 Jul 2012 10:59:03 -0400 Subject: [PATCH 25/49] Move boot loader modules to modules/system/boot/loader --- modules/module-list.nix | 14 +++++++------- .../efi-boot-stub/efi-boot-stub-builder.sh | 0 .../boot/loader}/efi-boot-stub/efi-boot-stub.nix | 0 .../generations-dir/generations-dir-builder.sh | 0 .../loader}/generations-dir/generations-dir.nix | 2 +- .../boot/loader}/grub/grub.nix | 0 .../boot/loader}/grub/install-grub.pl | 0 .../boot/loader}/grub/memtest.nix | 0 .../loader}/grub/winkler-gnu-blue-640x480.png | Bin .../boot/loader}/grub/winkler-gnu-blue.README | 0 10 files changed, 8 insertions(+), 8 deletions(-) rename modules/{installer => system/boot/loader}/efi-boot-stub/efi-boot-stub-builder.sh (100%) rename modules/{installer => system/boot/loader}/efi-boot-stub/efi-boot-stub.nix (100%) rename modules/{installer => system/boot/loader}/generations-dir/generations-dir-builder.sh (100%) rename modules/{installer => system/boot/loader}/generations-dir/generations-dir.nix (95%) rename modules/{installer => system/boot/loader}/grub/grub.nix (100%) rename modules/{installer => system/boot/loader}/grub/install-grub.pl (100%) rename modules/{installer => system/boot/loader}/grub/memtest.nix (100%) rename modules/{installer => system/boot/loader}/grub/winkler-gnu-blue-640x480.png (100%) rename modules/{installer => system/boot/loader}/grub/winkler-gnu-blue.README (100%) diff --git a/modules/module-list.nix b/modules/module-list.nix index 2e6f77afa1fc..f5296ccf9423 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -14,6 +14,7 @@ ./config/timezone.nix ./config/unix-odbc-drivers.nix ./config/users-groups.nix + ./hardware/all-firmware.nix ./hardware/cpu/intel-microcode.nix ./hardware/network/b43.nix ./hardware/network/intel-2100bg.nix @@ -22,11 +23,6 @@ ./hardware/network/rt73.nix ./hardware/network/rtl8192c.nix ./hardware/pcmcia.nix - ./hardware/all-firmware.nix - ./installer/efi-boot-stub/efi-boot-stub.nix - ./installer/generations-dir/generations-dir.nix - ./installer/grub/grub.nix - ./installer/grub/memtest.nix ./installer/init-script/init-script.nix ./installer/tools/nixos-checkout.nix ./installer/tools/tools.nix @@ -34,8 +30,8 @@ ./misc/check-config.nix ./misc/crashdump.nix ./misc/ids.nix - ./misc/locate.nix ./misc/lib.nix + ./misc/locate.nix ./misc/nixpkgs.nix ./misc/passthru.nix ./misc/version.nix @@ -60,8 +56,8 @@ ./services/amqp/rabbitmq.nix ./services/audio/alsa.nix ./services/audio/fuppes.nix - ./services/audio/pulseaudio.nix ./services/audio/mpd.nix + ./services/audio/pulseaudio.nix ./services/backup/mysql-backup.nix ./services/backup/postgresql-backup.nix ./services/backup/sitecopy-backup.nix @@ -199,6 +195,10 @@ ./system/activation/activation-script.nix ./system/activation/top-level.nix ./system/boot/kernel.nix + ./system/boot/loader/efi-boot-stub/efi-boot-stub.nix + ./system/boot/loader/generations-dir/generations-dir.nix + ./system/boot/loader/grub/grub.nix + ./system/boot/loader/grub/memtest.nix ./system/boot/luksroot.nix ./system/boot/modprobe.nix ./system/boot/stage-1.nix diff --git a/modules/installer/efi-boot-stub/efi-boot-stub-builder.sh b/modules/system/boot/loader/efi-boot-stub/efi-boot-stub-builder.sh similarity index 100% rename from modules/installer/efi-boot-stub/efi-boot-stub-builder.sh rename to modules/system/boot/loader/efi-boot-stub/efi-boot-stub-builder.sh diff --git a/modules/installer/efi-boot-stub/efi-boot-stub.nix b/modules/system/boot/loader/efi-boot-stub/efi-boot-stub.nix similarity index 100% rename from modules/installer/efi-boot-stub/efi-boot-stub.nix rename to modules/system/boot/loader/efi-boot-stub/efi-boot-stub.nix diff --git a/modules/installer/generations-dir/generations-dir-builder.sh b/modules/system/boot/loader/generations-dir/generations-dir-builder.sh similarity index 100% rename from modules/installer/generations-dir/generations-dir-builder.sh rename to modules/system/boot/loader/generations-dir/generations-dir-builder.sh diff --git a/modules/installer/generations-dir/generations-dir.nix b/modules/system/boot/loader/generations-dir/generations-dir.nix similarity index 95% rename from modules/installer/generations-dir/generations-dir.nix rename to modules/system/boot/loader/generations-dir/generations-dir.nix index b67cf7e56e73..8184b9c0a98d 100644 --- a/modules/installer/generations-dir/generations-dir.nix +++ b/modules/system/boot/loader/generations-dir/generations-dir.nix @@ -19,7 +19,7 @@ let point to the current generation's kernel image, initial RAM disk, and other bootstrap files. - This optional is not necessary with bootloads such as GNU GRUB + This optional is not necessary with boot loaders such as GNU GRUB for which the menu is updated to point to the latest bootstrap files. However, it is needed for U-Boot on platforms where the boot command line is stored in flash memory rather than in a diff --git a/modules/installer/grub/grub.nix b/modules/system/boot/loader/grub/grub.nix similarity index 100% rename from modules/installer/grub/grub.nix rename to modules/system/boot/loader/grub/grub.nix diff --git a/modules/installer/grub/install-grub.pl b/modules/system/boot/loader/grub/install-grub.pl similarity index 100% rename from modules/installer/grub/install-grub.pl rename to modules/system/boot/loader/grub/install-grub.pl diff --git a/modules/installer/grub/memtest.nix b/modules/system/boot/loader/grub/memtest.nix similarity index 100% rename from modules/installer/grub/memtest.nix rename to modules/system/boot/loader/grub/memtest.nix diff --git a/modules/installer/grub/winkler-gnu-blue-640x480.png b/modules/system/boot/loader/grub/winkler-gnu-blue-640x480.png similarity index 100% rename from modules/installer/grub/winkler-gnu-blue-640x480.png rename to modules/system/boot/loader/grub/winkler-gnu-blue-640x480.png diff --git a/modules/installer/grub/winkler-gnu-blue.README b/modules/system/boot/loader/grub/winkler-gnu-blue.README similarity index 100% rename from modules/installer/grub/winkler-gnu-blue.README rename to modules/system/boot/loader/grub/winkler-gnu-blue.README From b52117c34d582075beed6c70368aeec4864b5d03 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 Jul 2012 11:30:16 -0400 Subject: [PATCH 26/49] Treat init-script as a boot loader --- modules/module-list.nix | 2 +- modules/system/activation/switch-to-configuration.sh | 5 ----- modules/system/activation/top-level.nix | 1 - .../boot/loader}/init-script/init-script-builder.sh | 2 +- .../boot/loader}/init-script/init-script.nix | 5 ++--- 5 files changed, 4 insertions(+), 11 deletions(-) rename modules/{installer => system/boot/loader}/init-script/init-script-builder.sh (97%) rename modules/{installer => system/boot/loader}/init-script/init-script.nix (87%) diff --git a/modules/module-list.nix b/modules/module-list.nix index f5296ccf9423..e2c9516ac463 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -23,7 +23,6 @@ ./hardware/network/rt73.nix ./hardware/network/rtl8192c.nix ./hardware/pcmcia.nix - ./installer/init-script/init-script.nix ./installer/tools/nixos-checkout.nix ./installer/tools/tools.nix ./misc/assertions.nix @@ -199,6 +198,7 @@ ./system/boot/loader/generations-dir/generations-dir.nix ./system/boot/loader/grub/grub.nix ./system/boot/loader/grub/memtest.nix + ./system/boot/loader/init-script/init-script.nix ./system/boot/luksroot.nix ./system/boot/modprobe.nix ./system/boot/stage-1.nix diff --git a/modules/system/activation/switch-to-configuration.sh b/modules/system/activation/switch-to-configuration.sh index fea0b05ef34f..285b095aa3ed 100644 --- a/modules/system/activation/switch-to-configuration.sh +++ b/modules/system/activation/switch-to-configuration.sh @@ -23,12 +23,7 @@ fi # Install or update the bootloader. if [ "$action" = "switch" -o "$action" = "boot" ]; then - @installBootLoader@ @out@ - - if [ -n "@initScriptBuilder@" ]; then - @initScriptBuilder@ @out@ - fi fi # Activate the new configuration. diff --git a/modules/system/activation/top-level.nix b/modules/system/activation/top-level.nix index 0e1a9a3d2adc..1eea759d8c99 100644 --- a/modules/system/activation/top-level.nix +++ b/modules/system/activation/top-level.nix @@ -152,7 +152,6 @@ let installBootLoader = config.system.build.installBootLoader or "echo 'Warning: don't know how to make this configuration bootable; please enable a boot loader.' 1>&2; true"; - initScriptBuilder = config.system.build.initScriptBuilder; activationScript = config.system.activationScripts.script; nixosVersion = config.system.nixosVersion; diff --git a/modules/installer/init-script/init-script-builder.sh b/modules/system/boot/loader/init-script/init-script-builder.sh similarity index 97% rename from modules/installer/init-script/init-script-builder.sh rename to modules/system/boot/loader/init-script/init-script-builder.sh index f091dc8b6c89..502b3b63af2f 100644 --- a/modules/installer/init-script/init-script-builder.sh +++ b/modules/system/boot/loader/init-script/init-script-builder.sh @@ -6,7 +6,7 @@ export PATH=/empty for i in @path@; do PATH=$PATH:$i/bin; done if test $# -ne 1; then - echo "Usage: grub-menu-builder.sh DEFAULT-CONFIG" + echo "Usage: init-script-builder.sh DEFAULT-CONFIG" exit 1 fi diff --git a/modules/installer/init-script/init-script.nix b/modules/system/boot/loader/init-script/init-script.nix similarity index 87% rename from modules/installer/init-script/init-script.nix rename to modules/system/boot/loader/init-script/init-script.nix index edf7d23d2a78..ef5e97eb2c9f 100644 --- a/modules/installer/init-script/init-script.nix +++ b/modules/system/boot/loader/init-script/init-script.nix @@ -41,10 +41,9 @@ in ###### implementation - config = { + config = mkIf config.boot.loader.initScript.enable { - system.build.initScriptBuilder = - if config.boot.loader.initScript.enable then initScriptBuilder else ""; + system.build.installBootLoader = initScriptBuilder; }; From 8cae5e57827ed1bfd69e2f7c24ea4d62a5eba185 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 Jul 2012 11:39:41 -0400 Subject: [PATCH 27/49] Remove jfsrec from the minimal CD because it pulls in Boost --- modules/profiles/base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix index 75a58f8568a1..2240311c885b 100644 --- a/modules/profiles/base.nix +++ b/modules/profiles/base.nix @@ -34,7 +34,7 @@ pkgs.dosfstools pkgs.xfsprogs pkgs.jfsutils - pkgs.jfsrec + #pkgs.jfsrec # disabled because of Boost dependency # Some compression/archiver tools. pkgs.unrar From db7a11b13213d5e3f70c2af285cd7e4914558c4a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 Jul 2012 11:54:24 -0400 Subject: [PATCH 28/49] Manual: prevent a runtime dependency on DocBook XSL --- doc/manual/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/manual/default.nix b/doc/manual/default.nix index c82a46b05377..d3f554c099ee 100644 --- a/doc/manual/default.nix +++ b/doc/manual/default.nix @@ -57,12 +57,14 @@ in rec { ${pkgs.docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \ ./manual.xml - ln -s ${pkgs.docbook5_xsl}/xml/xsl/docbook/images $dst/ + mkdir -p $dst/images/callouts + cp ${pkgs.docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/images/callouts/ + cp ${./style.css} $dst/style.css ensureDir $out/nix-support echo "doc manual $dst manual.html" >> $out/nix-support/hydra-build-products - ''; + ''; # */ }; # Generate the NixOS manpages. From 557f39aa0f9d8b5b10ef6b58c1f040b90807a7c2 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 Jul 2012 16:37:29 -0400 Subject: [PATCH 29/49] install-grub.pl: Apply the configuration limit only to old generations --- modules/system/boot/loader/grub/install-grub.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/system/boot/loader/grub/install-grub.pl b/modules/system/boot/loader/grub/install-grub.pl index 76fa71c827fd..99bf171c7780 100644 --- a/modules/system/boot/loader/grub/install-grub.pl +++ b/modules/system/boot/loader/grub/install-grub.pl @@ -125,7 +125,6 @@ $conf .= "$extraConfig\n"; # Generate the menu entries. -my $curEntry = 0; $conf .= "\n"; my %copied; @@ -151,7 +150,6 @@ sub copyToKernelsDir { sub addEntry { my ($name, $path) = @_; - return if $curEntry++ > $configurationLimit; return unless -e "$path/kernel" && -e "$path/initrd"; my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel")); @@ -199,8 +197,10 @@ sub nrFromGen { my ($x) = @_; $x =~ /system-(.*)-link/; return $1; } my @links = sort { nrFromGen($b) <=> nrFromGen($a) } (glob "/nix/var/nix/profiles/system-*-link"); - + +my $curEntry = 0; foreach my $link (@links) { + last if $curEntry++ >= $configurationLimit; my $date = strftime("%F", localtime(lstat($link)->mtime)); my $version = -e "$link/nixos-version" From 16da4a14f1b2e9ab7f546afd29b17d0808dc004d Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 Jul 2012 16:38:05 -0400 Subject: [PATCH 30/49] amazon-image.nix: Don't put any old configurations in the GRUB menu --- modules/virtualisation/amazon-image.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/virtualisation/amazon-image.nix b/modules/virtualisation/amazon-image.nix index 203c9a724ce1..9ada2b176fe3 100644 --- a/modules/virtualisation/amazon-image.nix +++ b/modules/virtualisation/amazon-image.nix @@ -139,6 +139,10 @@ with pkgs.lib; cp ${pkgs.utillinux}/sbin/swapon $out/bin ''; + # Don't put old configurations in the GRUB menu. The user has no + # way to select them anyway. + boot.loader.grub.configurationLimit = 0; + # Allow root logins only using the SSH key that the user specified # at instance creation time. services.openssh.enable = true; From 29ef89ac0387e7bee81866a042b74e0c5e9dc209 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 25 Jul 2012 18:38:20 -0400 Subject: [PATCH 31/49] Fix the tests http://hydra.nixos.org/build/2903932 --- tests/installer.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/installer.nix b/tests/installer.nix index 2b3232ca353c..88ad79ae0ee7 100644 --- a/tests/installer.nix +++ b/tests/installer.nix @@ -22,6 +22,7 @@ let [ pkgs.glibcLocales pkgs.sudo pkgs.docbook5 + pkgs.docbook5_xsl pkgs.grub ]; } From 92515b288c60f1e6839ec0fc196deb395d167654 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 26 Jul 2012 09:42:05 -0400 Subject: [PATCH 32/49] Fix the installer tests http://hydra.nixos.org/build/2904451 --- tests/installer.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/installer.nix b/tests/installer.nix index 88ad79ae0ee7..2e8f3f62b070 100644 --- a/tests/installer.nix +++ b/tests/installer.nix @@ -24,6 +24,7 @@ let pkgs.docbook5 pkgs.docbook5_xsl pkgs.grub + pkgs.perlPackages.XMLLibXML ]; } ]; From 7c1c4c757c5381321928958bda418758ed88061f Mon Sep 17 00:00:00 2001 From: Florian Friesdorf Date: Thu, 26 Jul 2012 16:49:55 +0200 Subject: [PATCH 33/49] add setuid wrapper for newgrp --- modules/programs/shadow.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/programs/shadow.nix b/modules/programs/shadow.nix index 137064bba851..a3f837c7367c 100644 --- a/modules/programs/shadow.nix +++ b/modules/programs/shadow.nix @@ -93,7 +93,7 @@ in { name = "login"; ownDevices = true; allowNullPassword = true; } ]; - security.setuidPrograms = [ "passwd" "chfn" "su" ]; + security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp" ]; }; From 1a2b3cc5e4209fdf15ab1abf17ace8c08b48ddf8 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 26 Jul 2012 15:09:01 -0400 Subject: [PATCH 34/49] Fix the tests.installer.grub1 test GRUB 1 doesn't understand /dev/vda, so use a SCSI rather than virtio disk. --- lib/test-driver/Machine.pm | 4 +++- tests/installer.nix | 36 +++++++++++++++++------------------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/lib/test-driver/Machine.pm b/lib/test-driver/Machine.pm index dee1e4f33cb2..947291b52c4b 100644 --- a/lib/test-driver/Machine.pm +++ b/lib/test-driver/Machine.pm @@ -29,8 +29,10 @@ sub new { $startCommand = "qemu-kvm -m 384 " . "-net nic,model=virtio \$QEMU_OPTS "; - $startCommand .= "-drive file=" . Cwd::abs_path($args->{hda}) . ",if=virtio,boot=on,werror=report " + my $iface = $args->{hdaInterface} or "virtio"; + $startCommand .= "-drive file=" . Cwd::abs_path($args->{hda}) . ",if=$iface,boot=on,werror=report " if defined $args->{hda}; + $startCommand .= "-cdrom $args->{cdrom} " if defined $args->{cdrom}; $startCommand .= $args->{qemuFlags} || ""; diff --git a/tests/installer.nix b/tests/installer.nix index 2e8f3f62b070..c6b84c1d9551 100644 --- a/tests/installer.nix +++ b/tests/installer.nix @@ -32,7 +32,7 @@ let # The configuration to install. - config = { fileSystems, testChannel, grubVersion }: pkgs.writeText "configuration.nix" + config = { fileSystems, testChannel, grubVersion, grubDevice }: pkgs.writeText "configuration.nix" '' { config, pkgs, modulesPath, ... }: @@ -45,7 +45,7 @@ let ${optionalString (grubVersion == 1) '' boot.loader.grub.splashImage = null; ''} - boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.device = "${grubDevice}"; boot.loader.grub.extraConfig = "serial; terminal_output.serial"; boot.initrd.kernelModules = [ "ext3" "virtio_console" ]; @@ -95,11 +95,14 @@ let # a test script fragment `createPartitions', which must create # partitions and filesystems, and a configuration.nix fragment # `fileSystems'. - testScriptFun = { createPartitions, fileSystems, testChannel, grubVersion }: + testScriptFun = { createPartitions, fileSystems, testChannel, grubVersion, grubDevice }: + let iface = if grubVersion == 1 then "scsi" else "virtio"; in '' createDisk("harddisk", 4 * 1024); - my $machine = createMachine({ hda => "harddisk", cdrom => glob("${iso}/iso/*.iso"), + my $machine = createMachine({ hda => "harddisk", + hdaInterface => "${iface}", + cdrom => glob("${iso}/iso/*.iso"), qemuFlags => '${optionalString testChannel (toString (qemuNICFlags 1 1 2))} ${optionalString (pkgs.stdenv.system == "x86_64-linux") "-cpu kvm64"}'}); $machine->start; @@ -151,15 +154,9 @@ let print STDERR "Result of the hardware scan:\n$cfg\n"; $machine->copyFileFromHost( - "${ config { inherit fileSystems testChannel grubVersion; } }", + "${ config { inherit fileSystems testChannel grubVersion grubDevice; } }", "/mnt/etc/nixos/configuration.nix"); - # Hack to get GRUB 1 to install on virtio. GRUB 1 has a patch - # from Gentoo to support virtio, but it's incomplete: it doesn't - # detect /dev/vd* automatically. And we don't care enough about - # GRUB 1 to fix it. - $machine->mustSucceed("mkdir -p /mnt/boot/grub; echo '(hd0) /dev/vda' > /mnt/boot/grub/device.map"); - # Perform the installation. $machine->mustSucceed("nixos-install >&2"); @@ -169,7 +166,7 @@ let $machine->shutdown; # Now see if we can boot the installation. - my $machine = createMachine({ hda => "harddisk" }); + my $machine = createMachine({ hda => "harddisk", hdaInterface => "${iface}" }); # Did /boot get mounted, if appropriate? # !!! There is currently no good way to wait for the @@ -196,11 +193,11 @@ let ''; - makeTest = { createPartitions, fileSystems, testChannel ? false, grubVersion ? 2 }: + makeTest = { createPartitions, fileSystems, testChannel ? false, grubVersion ? 2, grubDevice ? "/dev/vda" }: { inherit iso; nodes = if testChannel then { inherit webserver; } else { }; testScript = testScriptFun { - inherit createPartitions fileSystems testChannel grubVersion; + inherit createPartitions fileSystems testChannel grubVersion grubDevice; }; }; @@ -315,18 +312,19 @@ in { { createPartitions = '' $machine->mustSucceed( - "parted /dev/vda mklabel msdos", - "parted /dev/vda -- mkpart primary linux-swap 1M 1024M", - "parted /dev/vda -- mkpart primary ext2 1024M -1s", + "parted /dev/sda mklabel msdos", + "parted /dev/sda -- mkpart primary linux-swap 1M 1024M", + "parted /dev/sda -- mkpart primary ext2 1024M -1s", "udevadm settle", - "mkswap /dev/vda1 -L swap", + "mkswap /dev/sda1 -L swap", "swapon -L swap", - "mkfs.ext3 -L nixos /dev/vda2", + "mkfs.ext3 -L nixos /dev/sda2", "mount LABEL=nixos /mnt", ); ''; fileSystems = rootFS; grubVersion = 1; + grubDevice = "/dev/sda"; }; # Rebuild the CD configuration with a little modification. From 87ae76866537cb1a09e202a439c0fb4eb3d93fb9 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 26 Jul 2012 15:52:05 -0400 Subject: [PATCH 35/49] Fix the LVM installer test GRUB 2 doesn't want to boot off a LVM disk: machine# installing the GRUB 2 boot loader on /dev/vda... machine# Path `/boot/grub' is not readable by GRUB on boot. Installation is impossible. Aborting. machine# /nix/store/7yc535h1lim1a5gkhjb3fr6c8193dv8w-install-grub.pl: installation of GRUB on /dev/vda failed In theory GRUB 2 supports booting from LVM, but we probably need to generate the right grub.conf (see https://wiki.archlinux.org/index.php/GRUB2#LVM). http://hydra.nixos.org/build/2904680 --- lib/test-driver/Machine.pm | 3 +-- tests/installer.nix | 20 ++++++++++++-------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/lib/test-driver/Machine.pm b/lib/test-driver/Machine.pm index 947291b52c4b..9018dc589e40 100644 --- a/lib/test-driver/Machine.pm +++ b/lib/test-driver/Machine.pm @@ -29,10 +29,9 @@ sub new { $startCommand = "qemu-kvm -m 384 " . "-net nic,model=virtio \$QEMU_OPTS "; - my $iface = $args->{hdaInterface} or "virtio"; + my $iface = $args->{hdaInterface} || "virtio"; $startCommand .= "-drive file=" . Cwd::abs_path($args->{hda}) . ",if=$iface,boot=on,werror=report " if defined $args->{hda}; - $startCommand .= "-cdrom $args->{cdrom} " if defined $args->{cdrom}; $startCommand .= $args->{qemuFlags} || ""; diff --git a/tests/installer.nix b/tests/installer.nix index c6b84c1d9551..b16206547a44 100644 --- a/tests/installer.nix +++ b/tests/installer.nix @@ -47,7 +47,7 @@ let ''} boot.loader.grub.device = "${grubDevice}"; boot.loader.grub.extraConfig = "serial; terminal_output.serial"; - boot.initrd.kernelModules = [ "ext3" "virtio_console" ]; + boot.initrd.kernelModules = [ "ext3" "ext4" "xfs" "virtio_console" ]; fileSystems = [ ${fileSystems} ]; swapDevices = [ { label = "swap"; } ]; @@ -187,7 +187,7 @@ let # And just to be sure, check that the machine still boots after # "nixos-rebuild switch". - my $machine = createMachine({ hda => "harddisk" }); + my $machine = createMachine({ hda => "harddisk", hdaInterface => "${iface}" }); $machine->waitForJob("network-interfaces"); $machine->shutdown; ''; @@ -250,28 +250,32 @@ in { }; # Create two physical LVM partitions combined into one volume group - # that contains the logical swap and root partitions. + # that contains the logical swap and root partitions. Uses a lvm = makeTest { createPartitions = '' $machine->mustSucceed( "parted /dev/vda mklabel msdos", - "parted /dev/vda -- mkpart primary 1M 2048M", # first PV + "parted /dev/vda -- mkpart primary ext2 1M 30MB", # /boot + "parted /dev/vda -- mkpart primary 31M 2048M", # first PV "parted /dev/vda -- set 1 lvm on", "parted /dev/vda -- mkpart primary 2048M -1s", # second PV "parted /dev/vda -- set 2 lvm on", "udevadm settle", - "pvcreate /dev/vda1 /dev/vda2", - "vgcreate MyVolGroup /dev/vda1 /dev/vda2", + "pvcreate /dev/vda2 /dev/vda3", + "vgcreate MyVolGroup /dev/vda2 /dev/vda3", "lvcreate --size 1G --name swap MyVolGroup", "lvcreate --size 2G --name nixos MyVolGroup", "mkswap -f /dev/MyVolGroup/swap -L swap", "swapon -L swap", - "mkfs.ext3 -L nixos /dev/MyVolGroup/nixos", + "mkfs.xfs -L nixos /dev/MyVolGroup/nixos", "mount LABEL=nixos /mnt", + "mkfs.ext4 -L boot /dev/vda1", + "mkdir /mnt/boot", + "mount LABEL=boot /mnt/boot", ); ''; - fileSystems = rootFS; + fileSystems = rootFS + bootFS; }; swraid = makeTest From e988324534044d6309acc5f936ab85b900cb1dd0 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 27 Jul 2012 00:07:25 +0200 Subject: [PATCH 36/49] Use a dedicated user ('named') for BIND instead of running the daemon as super user. --- modules/misc/ids.nix | 1 + modules/services/networking/bind.nix | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index d1621c0c74ef..13ebf954f329 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -71,6 +71,7 @@ in mpd = 50; clamav = 51; fprot = 52; + bind = 53; # When adding a uid, make sure it doesn't match an existing gid. diff --git a/modules/services/networking/bind.nix b/modules/services/networking/bind.nix index 1e04b354939b..a5e4c9d1d027 100644 --- a/modules/services/networking/bind.nix +++ b/modules/services/networking/bind.nix @@ -6,6 +6,8 @@ let cfg = config.services.bind; + bindUser = "named"; + confFile = pkgs.writeText "named.conf" '' acl cachenetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} }; @@ -118,6 +120,12 @@ in config = mkIf config.services.bind.enable { + users.extraUsers = singleton + { name = bindUser; + uid = config.ids.uids.bind; + description = "BIND daemon user"; + }; + jobs.bind = { description = "BIND name server job"; @@ -126,9 +134,10 @@ in preStart = '' ${pkgs.coreutils}/bin/mkdir -p /var/run/named + chown ${bindUser} /var/run/named ''; - exec = "${pkgs.bind}/sbin/named ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; + exec = "${pkgs.bind}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; }; }; From 14a8532ee0f569d101d14acdb4f1f4ea750b8ba2 Mon Sep 17 00:00:00 2001 From: Florian Friesdorf Date: Sun, 15 Jul 2012 06:25:08 +0200 Subject: [PATCH 37/49] add NIX_CONF_DIR to sudo env_keep variables (suggested by Eelco Dolstra) this enables nix-collect-garbage under sudo to respect nix.conf, e.g.: gc-keep-outputs = true gc-keep-derivations = true --- modules/security/sudo.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/security/sudo.nix b/modules/security/sudo.nix index 76c325d8d8f6..e3e463e155f0 100644 --- a/modules/security/sudo.nix +++ b/modules/security/sudo.nix @@ -34,6 +34,7 @@ in # Environment variables to keep for root and %wheel. Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE + Defaults:root,%wheel env_keep+=NIX_CONF_DIR Defaults:root,%wheel env_keep+=NIX_PATH Defaults:root,%wheel env_keep+=TERMINFO_DIRS From e27ee81304b83e20ad14266a76410e68eea22d30 Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Fri, 27 Jul 2012 13:29:14 -0400 Subject: [PATCH 38/49] create-ebs-amis.py: Load the deployment state file. charon now requires either using a Deployment in a with statement or manually loading the state file --- maintainers/scripts/ec2/create-ebs-amis.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/maintainers/scripts/ec2/create-ebs-amis.py b/maintainers/scripts/ec2/create-ebs-amis.py index 0afa6d564e33..939bd30942dc 100755 --- a/maintainers/scripts/ec2/create-ebs-amis.py +++ b/maintainers/scripts/ec2/create-ebs-amis.py @@ -33,6 +33,7 @@ f.write('''{{ f.close() depl = deployment.Deployment("./ebs-creator.json", create=True, nix_exprs=["./ebs-creator.nix", "./ebs-creator-config.nix"]) +depl.load_state() if not args.keep: depl.destroy_vms() depl.deploy() @@ -163,6 +164,7 @@ f.write( f.close() test_depl = deployment.Deployment("./ebs-test.json", create=True, nix_exprs=["./ebs-test.nix"]) +test_depl.load_state() test_depl.deploy(create_only=True) test_depl.machines['machine'].run_command("nixos-version") if not args.keep: test_depl.destroy_vms() From a559a2a60688e82b3f7c851546c97c6a2c9c2c39 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 30 Jul 2012 17:19:14 +0200 Subject: [PATCH 39/49] mediawiki.nix: Use the right PHP build --- modules/services/web-servers/apache-httpd/default.nix | 2 +- modules/services/web-servers/apache-httpd/mediawiki.nix | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index cbd245df432b..a101b077e47e 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -74,7 +74,7 @@ let phpOptions = ""; options = {}; }; - res = defaults // svcFunction { inherit config pkgs serverInfo; }; + res = defaults // svcFunction { inherit config pkgs serverInfo php; }; in res; in map f defs; diff --git a/modules/services/web-servers/apache-httpd/mediawiki.nix b/modules/services/web-servers/apache-httpd/mediawiki.nix index 9f321b173d3e..2941c6d0d5a1 100644 --- a/modules/services/web-servers/apache-httpd/mediawiki.nix +++ b/modules/services/web-servers/apache-httpd/mediawiki.nix @@ -1,4 +1,4 @@ -{ config, pkgs, serverInfo, ... }: +{ config, pkgs, serverInfo, php, ... }: with pkgs.lib; @@ -101,7 +101,7 @@ let '' ensureDir $out/bin for i in changePassword.php createAndPromote.php userOptions.php edit.php nukePage.php; do - makeWrapper ${pkgs.php}/bin/php $out/bin/mediawiki-${config.id}-$(basename $i .php) \ + makeWrapper ${php}/bin/php $out/bin/mediawiki-${config.id}-$(basename $i .php) \ --add-flags ${mediawikiRoot}/maintenance/$i done ''; From 174d6a07e04bb3697e3389003484ee13945d208a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 30 Jul 2012 13:49:10 -0400 Subject: [PATCH 40/49] Fix whitespace --- modules/system/boot/loader/grub/install-grub.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/system/boot/loader/grub/install-grub.pl b/modules/system/boot/loader/grub/install-grub.pl index 99bf171c7780..54f91b0f5985 100644 --- a/modules/system/boot/loader/grub/install-grub.pl +++ b/modules/system/boot/loader/grub/install-grub.pl @@ -105,7 +105,7 @@ else { "; if ($splashImage) { - # FIXME: GRUB 1.97 doesn't resize the background image if it + # FIXME: GRUB 1.97 doesn't resize the background image if it # doesn't match the video resolution. copy $splashImage, "/boot/background.png" or die "cannot copy $splashImage to /boot\n"; $conf .= " @@ -193,7 +193,7 @@ $conf .= "$extraEntries\n" unless $extraEntriesBeforeNixOS; $conf .= "submenu \"NixOS - Old configurations\" {\n" if $grubVersion == 2; sub nrFromGen { my ($x) = @_; $x =~ /system-(.*)-link/; return $1; } - + my @links = sort { nrFromGen($b) <=> nrFromGen($a) } (glob "/nix/var/nix/profiles/system-*-link"); From 2678ff37264b7951e7b7309d5ad892061bcd019a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 30 Jul 2012 13:49:18 -0400 Subject: [PATCH 41/49] Use /sys/fs/cgroup instead of /dev/cgroup --- modules/services/system/cgroups.nix | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/modules/services/system/cgroups.nix b/modules/services/system/cgroups.nix index 199d12268ceb..5d5777909e92 100644 --- a/modules/services/system/cgroups.nix +++ b/modules/services/system/cgroups.nix @@ -37,14 +37,14 @@ in default = '' mount { - cpu = /dev/cgroup/cpu; + cpu = /sys/fs/cgroup/cpu; } ''; example = '' mount { - cpu = /dev/cgroup/cpu; - cpuacct = /dev/cgroup/cpuacct; + cpu = /sys/fs/cgroup/cpu; + cpuacct = /sys/fs/cgroup/cpuacct; } # Create a "www" cgroup with a lower share of the CPU (the @@ -105,10 +105,16 @@ in description = "Control groups daemon"; - path = [ pkgs.libcgroup pkgs.procps ]; + path = [ pkgs.libcgroup pkgs.procps pkgs.utillinux ]; preStart = '' + if [ -d /sys/fs/cgroup ]; then + if ! mountpoint -q /sys/fs/cgroup; then + mount -t tmpfs -o mode=755 /dev/cgroup /sys/fs/cgroup + fi + fi + cgclear || true # Mount the cgroup hierarchies. Note: we refer to the From 6576d81ff1b06ca2f5d37350f2f5893a6377547c Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 30 Jul 2012 15:19:30 -0400 Subject: [PATCH 42/49] Fix "please: command not found" in switch-to-configuration --- modules/system/activation/top-level.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/system/activation/top-level.nix b/modules/system/activation/top-level.nix index 1eea759d8c99..35b6d0bff0c9 100644 --- a/modules/system/activation/top-level.nix +++ b/modules/system/activation/top-level.nix @@ -151,7 +151,7 @@ let config.boot.kernelParams ++ config.boot.extraKernelParams; installBootLoader = config.system.build.installBootLoader - or "echo 'Warning: don't know how to make this configuration bootable; please enable a boot loader.' 1>&2; true"; + or "echo \"Warning: don't know how to make this configuration bootable; please enable a boot loader.\" 1>&2; true"; activationScript = config.system.activationScripts.script; nixosVersion = config.system.nixosVersion; @@ -159,11 +159,11 @@ let # Pass the names of all Upstart tasks to the activation script. tasks = attrValues (mapAttrs (n: v: if v.task then ["[${v.name}]=1"] else []) config.jobs); - + # Pass the names of all Upstart jobs that shouldn't be restarted # to the activation script. noRestartIfChanged = attrValues (mapAttrs (n: v: if v.restartIfChanged then [] else ["[${v.name}]=1"]) config.jobs); - + # Most of these are needed by grub-install. path = [ pkgs.coreutils From 52fd5ea6ca72ccd2a5b784ca2c392b4b9bf48fe5 Mon Sep 17 00:00:00 2001 From: Mathijs Kwik Date: Tue, 31 Jul 2012 20:00:58 +0200 Subject: [PATCH 43/49] gogoclient: setup config and dirs on service start, not on system activation --- modules/services/networking/gogoclient.nix | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/modules/services/networking/gogoclient.nix b/modules/services/networking/gogoclient.nix index 12fbef1f3ba9..593f2436a393 100644 --- a/modules/services/networking/gogoclient.nix +++ b/modules/services/networking/gogoclient.nix @@ -65,21 +65,15 @@ in description = "ipv6 tunnel"; startOn = optionalString cfg.autorun "starting networking"; stopOn = "stopping network-interfaces"; - script = "cd /var/lib/gogoc; exec gogoc -y -f /etc/gogoc.conf"; + preStart = '' + mkdir -p /var/lib/gogoc + chmod 700 /var/lib/gogoc + cat ${pkgs.gogoclient}/share/${pkgs.gogoclient.name}/gogoc.conf.sample | ${pkgs.gnused}/bin/sed -e "s|^userid=|&${cfg.username}|;s|^passwd=|&${if cfg.password == "" then "" else "$(cat ${cfg.password})"}|;s|^server=.*|server=${cfg.server}|;s|^auth_method=.*|auth_method=${if cfg.password == "" then "anonymous" else "any"}|;s|^#log_file=|log_file=1|" > /var/lib/gogoc/gogoc.conf + ''; + script = "cd /var/lib/gogoc; exec gogoc -y -f ./gogoc.conf"; path = [pkgs.gogoclient]; }; - system.activationScripts.gogoClientConf = '' - mkdir -p /var/lib/gogoc - chmod 700 /var/lib/gogoc - install -m400 ${pkgs.gogoclient}/share/${pkgs.gogoclient.name}/gogoc.conf.sample /etc/gogoc.conf.default - ${pkgs.gnused}/bin/sed -i -e "s|^userid=|&${cfg.username}|" /etc/gogoc.conf.default - ${pkgs.gnused}/bin/sed -i -e "s|^passwd=|&${if cfg.password == "" then "" else "$(cat ${cfg.password})"}|" /etc/gogoc.conf.default - ${pkgs.gnused}/bin/sed -i -e "s|^server=.*|server=${cfg.server}|" /etc/gogoc.conf.default - ${pkgs.gnused}/bin/sed -i -e "s|^auth_method=.*|auth_method=${if cfg.password == "" then "anonymous" else "any"}|" /etc/gogoc.conf.default - ${pkgs.gnused}/bin/sed -i -e "s|^#log_file=|log_file=1|" /etc/gogoc.conf.default - mv /etc/gogoc.conf.default /etc/gogoc.conf - ''; }; } From c8d04ab34c0a3bd3538d1763108110f2c195d1a1 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 1 Aug 2012 15:40:58 -0400 Subject: [PATCH 44/49] tests/installer.nix: Re-enable booting from LVM --- tests/installer.nix | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/tests/installer.nix b/tests/installer.nix index b16206547a44..65542ae862eb 100644 --- a/tests/installer.nix +++ b/tests/installer.nix @@ -250,32 +250,28 @@ in { }; # Create two physical LVM partitions combined into one volume group - # that contains the logical swap and root partitions. Uses a + # that contains the logical swap and root partitions. lvm = makeTest { createPartitions = '' $machine->mustSucceed( "parted /dev/vda mklabel msdos", - "parted /dev/vda -- mkpart primary ext2 1M 30MB", # /boot - "parted /dev/vda -- mkpart primary 31M 2048M", # first PV + "parted /dev/vda -- mkpart primary 1M 2048M", # first PV "parted /dev/vda -- set 1 lvm on", "parted /dev/vda -- mkpart primary 2048M -1s", # second PV "parted /dev/vda -- set 2 lvm on", "udevadm settle", - "pvcreate /dev/vda2 /dev/vda3", - "vgcreate MyVolGroup /dev/vda2 /dev/vda3", + "pvcreate /dev/vda1 /dev/vda2", + "vgcreate MyVolGroup /dev/vda1 /dev/vda2", "lvcreate --size 1G --name swap MyVolGroup", "lvcreate --size 2G --name nixos MyVolGroup", "mkswap -f /dev/MyVolGroup/swap -L swap", "swapon -L swap", "mkfs.xfs -L nixos /dev/MyVolGroup/nixos", "mount LABEL=nixos /mnt", - "mkfs.ext4 -L boot /dev/vda1", - "mkdir /mnt/boot", - "mount LABEL=boot /mnt/boot", ); ''; - fileSystems = rootFS + bootFS; + fileSystems = rootFS; }; swraid = makeTest From 5f57110e1f977bf0a2e11b4f0ee92244de53d331 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 1 Aug 2012 21:47:17 +0200 Subject: [PATCH 45/49] install-grub.pl: Fix Xen support --- modules/system/boot/loader/grub/install-grub.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/boot/loader/grub/install-grub.pl b/modules/system/boot/loader/grub/install-grub.pl index 54f91b0f5985..5e9f3b4efdad 100644 --- a/modules/system/boot/loader/grub/install-grub.pl +++ b/modules/system/boot/loader/grub/install-grub.pl @@ -154,7 +154,7 @@ sub addEntry { my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel")); my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd")); - my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen")) : undef; + my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef; # FIXME: $confName From ecdbc94e051ec081d30c5580a7934bddce22d03c Mon Sep 17 00:00:00 2001 From: Rickard Nilsson Date: Tue, 17 Jul 2012 13:10:00 +0200 Subject: [PATCH 46/49] LUKS root: Add option allowDiscards (for SSD disks) --- modules/system/boot/luksroot.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/modules/system/boot/luksroot.nix b/modules/system/boot/luksroot.nix index 0e28a882da5f..38dfece44bee 100644 --- a/modules/system/boot/luksroot.nix +++ b/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with pkgs.lib; let luks = config.boot.initrd.luks; - openCommand = { name, device, ... }: '' + openCommand = { name, device, allowDiscards, ... }: '' # Wait for luksRoot to appear, e.g. if on a usb drive. # XXX: copied and adapted from stage-1-init.sh - should be # available as a function. @@ -20,7 +20,7 @@ let fi # open luksRoot and scan for logical volumes - cryptsetup luksOpen ${device} ${name} + cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ''; isPreLVM = f: f.preLVM; @@ -69,6 +69,17 @@ in type = types.bool; description = "Whether the luksOpen will be attempted before LVM scan or after it."; }; + + allowDiscards = mkOption { + default = false; + type = types.bool; + description = '' + Whether to allow TRIM requests to the underlying device. This option + has security implications, please read the LUKS documentation before + activating in. + ''; + }; + }; }; }; From 0958b224ac20dff543eeb04a1ca6fa4983209ec8 Mon Sep 17 00:00:00 2001 From: Rickard Nilsson Date: Thu, 3 May 2012 00:37:14 +0200 Subject: [PATCH 47/49] LUKS root: Add option for using a key file instead of a passphrase. --- modules/system/boot/luksroot.nix | 41 ++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/modules/system/boot/luksroot.nix b/modules/system/boot/luksroot.nix index 38dfece44bee..db25e9390ab1 100644 --- a/modules/system/boot/luksroot.nix +++ b/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with pkgs.lib; let luks = config.boot.initrd.luks; - openCommand = { name, device, allowDiscards, ... }: '' + openCommand = { name, device, keyFile, keyFileSize, allowDiscards, ... }: '' # Wait for luksRoot to appear, e.g. if on a usb drive. # XXX: copied and adapted from stage-1-init.sh - should be # available as a function. @@ -19,8 +19,21 @@ let echo "ok" fi + ${optionalString (keyFile != "") '' + if ! test -e ${keyFile}; then + echo -n "waiting 10 seconds for key file ${keyFile} to appear..." + for try in $(seq 10); do + sleep 1 + if test -e ${keyFile}; then break; fi + echo -n . + done + echo "ok" + fi + ''} + # open luksRoot and scan for logical volumes - cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} + cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \ + ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} ''; isPreLVM = f: f.preLVM; @@ -64,6 +77,30 @@ in description = "Path of the underlying block device."; }; + keyFile = mkOption { + default = null; + example = "/dev/sdb1"; + type = types.nullOr types.string; + description = '' + The name of the file (can be a raw device or a partition) that + should be used as the decryption key for the encrypted device. If + not specified, you will be prompted for a passphrase instead. + ''; + }; + + keyFileSize = mkOption { + default = null; + example = 4096; + type = types.nullOr types.int; + description = '' + The size of the key file. Use this if only the beginning of the + key file should be used as a key (often the case if a raw device + or partition is used as key file). If not specified, the whole + keyFile will be used decryption, instead of just + the first keyFileSize bytes. + ''; + }; + preLVM = mkOption { default = true; type = types.bool; From a6039e1be2ca794497d073afe4d666454845b2b8 Mon Sep 17 00:00:00 2001 From: Rickard Nilsson Date: Thu, 2 Aug 2012 11:39:31 +0200 Subject: [PATCH 48/49] LUKS root: Fix key file check Check for null instead of empty string --- modules/system/boot/luksroot.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/boot/luksroot.nix b/modules/system/boot/luksroot.nix index db25e9390ab1..27c9c85eab3d 100644 --- a/modules/system/boot/luksroot.nix +++ b/modules/system/boot/luksroot.nix @@ -19,7 +19,7 @@ let echo "ok" fi - ${optionalString (keyFile != "") '' + ${optionalString (keyFile != null) '' if ! test -e ${keyFile}; then echo -n "waiting 10 seconds for key file ${keyFile} to appear..." for try in $(seq 10); do From 1fcef0a0e0c44f0b01256964f08964986953cbf4 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 2 Aug 2012 13:31:57 -0400 Subject: [PATCH 49/49] Don't use nixUnstable --- modules/services/misc/nix-daemon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/misc/nix-daemon.nix b/modules/services/misc/nix-daemon.nix index 31b81a13e363..a955fdd8d351 100644 --- a/modules/services/misc/nix-daemon.nix +++ b/modules/services/misc/nix-daemon.nix @@ -27,7 +27,7 @@ in options = { environment.nix = mkOption { - default = pkgs.nixUnstable; + default = pkgs.nix; merge = mergeOneOption; description = '' This option specifies the Nix package instance to use throughout the system.