Commit graph

643 commits

Author SHA1 Message Date
Eelco Dolstra
518f710547 Fix module loading in systemd-udevd 2014-04-17 12:26:12 +02:00
Eelco Dolstra
89155dbc01 systemd: Enable user systemd instances 2014-04-17 12:03:04 +02:00
Eelco Dolstra
5378da25a0 Apply pam_loginuid before pam_systemd
As recommended by the pam_systemd manpage.
2014-04-17 11:35:18 +02:00
Eelco Dolstra
150d3b0095 no-x-libs.nix: Disable su xauth forwarding, and X11 dependency in dbus 2014-04-16 16:58:06 +02:00
Eelco Dolstra
c81565f6cf Remove hack for using upstream getty units
Also, enable the container-getty@ unit so that "machinectl login"
works.
2014-04-16 16:11:17 +02:00
Eelco Dolstra
e8af68d2dc Make machinectl work 2014-04-16 10:48:14 +02:00
Eelco Dolstra
566a5c33e8 Set MODULE_DIR in systemd-load-modules.service 2014-04-16 10:43:33 +02:00
Eelco Dolstra
8b7d73abba Don't run the cpufreq service in VMs 2014-04-16 10:36:16 +02:00
William A. Kennington III
85e9ad1b2f stage1: Systemd libraries were renamed 2014-04-16 01:49:42 +02:00
Eelco Dolstra
ab989f525b Drop ALSA dependency in containers 2014-04-16 01:44:43 +02:00
Eelco Dolstra
60a84019b4 Don't make containers depend on cpupower 2014-04-16 01:11:32 +02:00
William A. Kennington III
dd209e901c cpu-freq: Use cpupower instead of cpufrequtils
Additionally, put the powersave utility in charge of loading the
cpufrequency modules based on the governor specified in the
configuration.
2014-04-16 01:10:26 +02:00
Eelco Dolstra
2fc520d699 Simplify assertion 2014-04-16 01:08:14 +02:00
William A. Kennington III
eda854d50f systemd: Add an assertion to guarantee oneshot units do not have restart set
This prevents insidious errors once systemd begins handling the unit. If
the unit is loaded at boot, any errors of this nature are logged to the
console before the journal service is running. This makes it very hard
to diagnose the issue. Therefore, this assertion helps guarantee the
mistake is not made.
2014-04-16 01:05:56 +02:00
William A. Kennington III
6ff2521974 upstart: Oneshot rules should always have Restart=no 2014-04-16 01:04:52 +02:00
Eelco Dolstra
ee9c068b0c systemd: Update to 212
Note that systemd no longer depends on dbus, so we're rid of the
cyclic dependency problem between systemd and dbus.

This commit incorporates from wkennington's systemd branch
(203dcff45002a63f6be75c65f1017021318cc839,
1f842558a95947261ece66f707bfa24faf5a9d88).
2014-04-16 00:59:26 +02:00
Eelco Dolstra
e8eea659a0 Don't enable LVM2 in containers
It's a somewhat pointless dependency.
2014-04-15 23:43:39 +02:00
William A. Kennington III
d2ee6e6a24 stage 1: Remove scsi_wait_scan as it is not supported after kernel 3.7 2014-04-15 14:59:39 +02:00
Austin Seipp
da6bc44dd7 nixos: transmission improvements
This mostly upgrades transmission, and does some very minor touchups on
AppArmor support.

In particular, there is now no need to ever specify the umask as part of
the settings, as it will be mixed in by default (which is essentially
always what you want). Also, the default configuration is now more
sensible: Downloads are put in /var/lib/transmission/Downloads, and
incomplete files are put in /var/lib/transmission/.incomplete - this
also allows easy use of file syncing probrams, like BitTorrent Sync.

Finally, this unconditionally enables the AppArmor profiles for the
daemon, if AppArmor is enabled - rather than letting the user specify
profile support, it's best to default to supporting profiles for daemons
transparently in all places.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 06:54:51 -05:00
Eelco Dolstra
5fa812ba5e Containers: Inherit the platform type of the host
http://hydra.nixos.org/build/10350055
2014-04-15 12:58:42 +02:00
Eelco Dolstra
00372ca638 nixos-rebuild: Fallback for upgrading Nix
Previously, if the currently installed Nix is too old to evaluate
Nixpkgs, then nixos-rebuild would fail and the user had to upgrade Nix
manually. Now, as a fallback, we run ‘nix-store -r’ to obtain a binary
Nix directly from the binary cache.
2014-04-15 12:07:34 +02:00
Eelco Dolstra
f9e6181478 nixos-rebuild: Exec nixos-rebuild from the new Nixpkgs tree
This allows doing any necessary actions that were not in the installed
nixos-rebuild (such as downloading a new version of Nix). This does
require us to be careful that nixos-rebuild is backwards-compatible
(i.e. can run in any old installation).
2014-04-15 12:07:29 +02:00
Eelco Dolstra
35bf0f4810 Don't restart container-startup-done 2014-04-15 12:07:24 +02:00
Eelco Dolstra
596bd37163 Don't restart container shells in switch-to-configuration 2014-04-15 12:07:18 +02:00
Austin Seipp
ae207efc07 nixos: add spiped service module
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 03:33:47 -05:00
Austin Seipp
42954a2d20 Fix hydra UID
The style for IDs dictates that groups/users should have the same ID -
so if a user doesn't have a group or vice versa, then we should skip
that ID.

In this case, we had already assigned grsecurity GID 121, but I
accidentally also assigned Hydra UID 121. Instead, let's assign Hydra
UID 122. And also assign a GID (122) as well.

Luckily nobody was depending on this yet (except me).

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 02:29:13 -05:00
Vladimír Čunát
8340454544 mesa: have all output on /run/opengl-driver{,-32}
Fixes #2242 in a different way (cleaner, I hope).
2014-04-14 21:38:23 +02:00
Vladimír Čunát
557dff54aa nixos opengl: add s2tc to mesa drivers by default
Close #2200. Thanks to @cpages for suggesting and testing this.
2014-04-14 21:38:23 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Bjørn Forsman
6fa1ad04da nixos: extend documentation example for security.setuidOwners
Show that it is possible to set custom permission bits.
2014-04-13 12:31:08 +02:00
Austin Seipp
a3155a0e2a nixos: add a UID for Hydra
Otherwise the Hydra module can't be used when mutableUsers = false;

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 21:20:18 -05:00
Austin Seipp
64efd184ed grsecurity: Fix GRKERNSEC_PROC restrictions
Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit
too strict. It doesn't allow a special group (e.g. the grsecurity group
users) to access /proc information - this requires
GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive.

This was also not in line with the default automatic grsecurity
configuration - it actually defaults to USERGROUP (although it has a
default GID of 1001 instead of ours), not USER.

This introduces a new option restrictProcWithGroup - enabled by default
- which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off
restrictProc by default and makes sure both cannot be enabled.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 11:16:05 -05:00
Austin Seipp
172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Shea Levy
0122697550 Revert "Merge branch 'postgresql-user' of git://github.com/ocharles/nixpkgs"
Reverting postgres superuser changes until after stable.

This reverts commit 6cc0cc7ff6, reversing
changes made to 3c4be425db.
2014-04-11 19:23:03 -04:00
Shea Levy
9b077bac58 Revert "postgresql: properly fix permissions issue by in postStart"
Reverting postgres superuser changes until after stable.

This reverts commit c66be6378d.
2014-04-11 19:22:43 -04:00
Shea Levy
e9e60103de Revert "Create the 'postgres' superuser"
Reverting postgres superuser changes until after stable.

This reverts commit 7de29bd26f.
2014-04-11 19:22:39 -04:00
Shea Levy
c23050e231 Revert "Use PostgreSQL 9.3's pg_isready to wait for connectivity"
Reverting postgres superuser changes until after stable.

This reverts commit e206684110.
2014-04-11 19:21:50 -04:00
Eelco Dolstra
e2bc9a3d14 Include Archive::Cpio in the installation CD
http://hydra.nixos.org/build/10268978
2014-04-11 17:16:44 +02:00
Eelco Dolstra
13185280fe Fix tests broken due to the firewall being enabled by default 2014-04-11 17:16:44 +02:00
Eelco Dolstra
017408e048 Use iptables' ‘-w’ flag
This prevents errors like "Another app is currently holding the
xtables lock" if the firewall and NAT services are starting in
parallel.  (Longer term, we should probably move to a single service
for managing the iptables rules.)
2014-04-11 17:16:44 +02:00
Eelco Dolstra
b9281e6a2d Fix NAT module 2014-04-11 17:16:44 +02:00
Eelco Dolstra
2da09363bf nix: Update to 1.7 2014-04-11 12:24:48 +02:00
Peter Simons
ad65a1e064 Revert "nixos: fix shell on conatiners"
This reverts commit c69577b7d6.
See https://github.com/NixOS/nixpkgs/pull/2198 for further details.
2014-04-11 12:07:00 +02:00
Eelco Dolstra
d2155649af Merge branch 'containers'
Fixes #2105.
2014-04-10 15:55:51 +02:00
Eelco Dolstra
6a7a8a144f Document NixOS containers 2014-04-10 15:07:29 +02:00
Eelco Dolstra
a34bfbab4c Add option networking.nat.internalInterfaces
This allows applying NAT to an interface, rather than an IP range.
2014-04-10 15:07:29 +02:00
Eelco Dolstra
ac8c924c09 nixos-container: Add ‘run’ and ‘root-login’ commands
And remove ‘root-shell’.
2014-04-10 15:07:29 +02:00
Eelco Dolstra
da4f180252 Bring back ‘nixos-container update’ 2014-04-10 15:07:29 +02:00
Eelco Dolstra
3dca6b98cb Fix permissions on /var/lib/startup-done 2014-04-10 15:07:28 +02:00
Peter Simons
26d8f54587 Merge pull request #2198 from offlinehacker/nixos/shadow/login_containers_fix
nixos: fix shell on conatiners
2014-04-10 12:39:19 +02:00