Commit graph

40620 commits

Author SHA1 Message Date
Eelco Dolstra
3dca6b98cb Fix permissions on /var/lib/startup-done 2014-04-10 15:07:28 +02:00
Eelco Dolstra
819e7c9fbd Add a test for NixOS containers 2014-04-03 16:36:24 +02:00
Eelco Dolstra
1e4fa227fe nixos-container: Don't destroy declarative containers 2014-04-03 16:36:24 +02:00
Eelco Dolstra
b0b3fa928a Disable container support in containers
Systemd-nspawn doesn't support nesting, so providing nixos-container
inside a container doesn't make sense.
2014-04-03 16:36:23 +02:00
Eelco Dolstra
1ad9a654be Make starting a container synchronous
So now "systemctl start container@foo" will only return after the
container has reached multi-user.target.
2014-04-03 16:36:23 +02:00
Eelco Dolstra
269926df0d container-login.nix -> container-config.nix 2014-04-03 16:36:16 +02:00
Eelco Dolstra
fee81c3739 Always enable container logins 2014-04-03 16:35:36 +02:00
Eelco Dolstra
6da72a4456 nixos-container: Rewrite in Perl
Also fix race condition when multiple containers are created
simultaneously (as NixOps tends to do).
2014-03-31 19:49:15 +02:00
Eelco Dolstra
bdb658d033 nixpkgs-lint: Tweak 2014-03-31 19:49:01 +02:00
Eelco Dolstra
7ebd856a38 Provide nixos-container unconditionally 2014-03-31 19:49:01 +02:00
Eelco Dolstra
07adfae551 Remove hard-coded SSH key 2014-03-24 12:19:28 +01:00
Eelco Dolstra
6010b0e886 nixos-container: NixOps helper functions 2014-03-24 12:19:28 +01:00
Eelco Dolstra
29c469b88d Allow dashes in container names 2014-03-24 12:19:28 +01:00
Eelco Dolstra
ba88db3cd3 Add support for imperative container management
The command nixos-container can now create containers.  For instance,
the following creates and starts a container named ‘database’:

  $ nixos-container create database

The configuration of the container is stored in
/var/lib/containers/<name>/etc/nixos/configuration.nix.  After editing
the configuration, you can make the changes take effect by doing

  $ nixos-container update database

The container can also be destroyed:

  $ nixos-container destroy database

Containers are now executed using a template unit,
‘container@.service’, so the unit in this example would be
‘container@database.service’.
2014-03-24 12:19:27 +01:00
Eelco Dolstra
0cca0f477f nixos-container-shell -> nixos-container { login | root-shell } 2014-03-24 12:19:27 +01:00
Eelco Dolstra
2ace7edb81 Rename systemd.containers -> containers
That NixOS containers use systemd-nspawn is just an implementation
detail (which we could change in the future).
2014-03-24 12:19:27 +01:00
Eelco Dolstra
7ee31c7f94 Fix permissions 2014-03-18 18:04:38 +01:00
Eelco Dolstra
5b10ea1f99 Don't run dhcpcd in containers 2014-03-18 11:39:51 +01:00
Eelco Dolstra
11c4c4ae54 Add command ‘nixos-container-shell’ for logging into a container 2014-03-18 11:36:03 +01:00
Eelco Dolstra
7b82d1ee27 Ensure that the container root can always be accessed via /var/lib/containers 2014-03-18 11:04:54 +01:00
Eelco Dolstra
895bcdd1cb Add support for running a container with a private network interface
For example, the following sets up a container named ‘foo’.  The
container will have a single network interface eth0, with IP address
10.231.136.2.  The host will have an interface c-foo with IP address
10.231.136.1.

  systemd.containers.foo =
    { privateNetwork = true;
      hostAddress = "10.231.136.1";
      localAddress = "10.231.136.2";
      config =
        { services.openssh.enable = true; };
    };

With ‘privateNetwork = true’, the container has the CAP_NET_ADMIN
capability, allowing it to do arbitrary network configuration, such as
setting up firewall rules.  This is secure because it cannot touch the
interfaces of the host.

The helper program ‘run-in-netns’ is needed at the moment because ‘ip
netns exec’ doesn't quite do the right thing (it remounts /sys without
bind-mounting the original /sys/fs/cgroups).
2014-03-18 10:49:25 +01:00
Eelco Dolstra
ac215779dd Give containers a writable /nix/var/nix/{profiles,gcroots}
These are stored on the host in
/nix/var/nix/{profiles,gcroots}/per-container/<container-name> to
ensure that container profiles/roots are not garbage-collected.
2014-03-17 15:23:20 +01:00
Eelco Dolstra
ef8e0266a2 Don't reboot a container when its configuration changes
Instead, just run "switch-to-configuration" inside the container.
2014-03-17 15:03:29 +01:00
Eelco Dolstra
511b86d22d Add an option to reload rather than restart changed units 2014-03-17 15:02:53 +01:00
Eelco Dolstra
28b7d67d08 httpd: Don't require keys.target
This has the unintended side-effect of restarting httpd every time we
run switch-to-configuration, even if httpd hasn't changed (because
we're doing a "stop keys.target" now).  So use a "Wants" dependency
instead.
2014-03-17 15:01:10 +01:00
Eelco Dolstra
f9e2af1e8b switch-to-configuration: Don't require /etc/NIXOS
Check /etc/os-release if /etc/NIXOS doesn't exist.
2014-03-17 14:16:10 +01:00
Eelco Dolstra
f13bd41384 switch-to-configuration: Restart sockets.target 2014-03-17 14:10:48 +01:00
Eelco Dolstra
0d506aa712 Provide a simple way to log into containers
On the host, you can run

  $ socat unix:<path-to-container>/var/lib/login.socket -,echo=0,raw

to get a login prompt.  So this allows logging in even if the
container has no SSH access enabled.

You can also do

  $ socat unix:<path-to-container>/var/lib/root-shell.socket -

to get a plain root shell.  (This socket is only accessible by root,
obviously.)  This makes it easy to execute commands in the container,
e.g.

  $ echo reboot | socat unix:<path-to-container>/var/lib/root-shell.socket -
2014-03-17 14:10:47 +01:00
Eelco Dolstra
1b6c01721d Revert "nixos-manual: show manual on tty8 by default"
This reverts commit b792394119.
Starting the manual on tty8 was intended as a convenience during
installation, not as a general purpose thing.  In fact, given that w3m
runs as root, this is highly insecure!
2014-03-17 12:45:57 +01:00
Eelco Dolstra
14af15dbff Explicitly require Nix 1.6
People using Nix < 1.6 previously got an unhelpful "infinite
recursion" error.
2014-03-17 11:33:36 +01:00
Eelco Dolstra
c0f3f6e396 linux: Update to 3.4.83 2014-03-17 11:25:48 +01:00
Eelco Dolstra
ea1cd70128 geoip: Convert to mkDerivation
Also, drop unused zlib dependency and add some meta attributes.
2014-03-17 11:23:59 +01:00
Mathijs Kwik
779a959982 add haskell-lzma-enumerator 2014-03-17 07:30:26 +01:00
Domen Kozar
11874b9e3b add Planetary Annihilation: next-generation RTS that takes the genre to a planetary scale 2014-03-16 23:31:08 +01:00
mornfall
fe995cdedc Merge pull request #1775 from thoughtpolice/duo_unix
Duo Security module and uid/gid support for /etc files
2014-03-16 23:06:01 +01:00
mornfall
ec353692ad Merge pull request #1849 from thoughtpolice/criu
criu: version 1.2
2014-03-16 22:58:54 +01:00
mornfall
2891925265 Merge pull request #1973 from thoughtpolice/nmap
nmap: add myself to maintainers, add homepage/description
2014-03-16 22:55:34 +01:00
Austin Seipp
4c04474c27 nmap: add myself to maintainers, add homepage/description
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-16 16:53:08 -05:00
Vladimír Čunát
9363303922 pfstools: update from 1.8.3 to 1.8.5 2014-03-16 17:46:39 +01:00
Vladimír Čunát
3caa572a8e xfce4-task-manager: minor update 1.0.0 -> .1 2014-03-16 17:46:16 +01:00
Vladimír Čunát
607678341d xfce.tumbler: minor update 0.1.29 -> .30 2014-03-16 17:46:16 +01:00
Vladimír Čunát
ab05fa29eb xfce.gigolo: minor update 0.4.1 -> .2
It no longer uses Waf.
2014-03-16 17:46:15 +01:00
Vladimír Čunát
76822ea4d5 libav: minor updates of both branches 2014-03-16 17:45:48 +01:00
Vladimír Čunát
8de867c958 qt_gstreamer: update from 0.10.2 to 0.10.3 2014-03-16 17:45:07 +01:00
Vladimír Čunát
d4da7e5e4f man-pages-posix: update 2003a -> 2013-a 2014-03-16 17:39:50 +01:00
Domen Kožar
08eaf76667 Merge pull request #1971 from matejc/deluge_curses
deluge: add curses module for deluge-console
2014-03-16 16:15:48 +01:00
Matej Cotman
af16343504 deluge: add curses module for deluge-console 2014-03-16 16:01:42 +01:00
Ricardo M. Correia
a16e1e2133 chromium: Update stable and beta channels
stable: 33.0.1750.149 -> 33.0.1750.152
beta:   34.0.1847.45  -> 34.0.1847.60
2014-03-16 13:26:01 +01:00
Austin Seipp
47b35d5e80 criu: version 1.2
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-16 07:16:34 -05:00
Austin Seipp
29d46452dd nixos: add Duo Security module
This module adds the security.duosec attributes, which you can use to
enable simple two-factor authentication for NixOS logins.

The module currently provides PAM and SSH support, although the PAM unix
system configuration isn't automatically dealt with (although the
configuration is automatically built).

Enabling it is as easy as saying:

  security.duosec.ssh.enable = true;
  security.duosec.ikey       = "XXXXXXXX...";
  security.duosec.skey       = "XXXXXXXX...";
  security.duosec.host       = "api-XXXXXXX.duosecurity.com";
  security.duosec.group      = "duosec";

which will enforce two-factor authentication for SSH logins for users in
the 'duosec' group.

This requires uid/gid support in the environment.etc module.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-16 07:11:50 -05:00