This makes it easier for systemd to track it and avoids race conditions such as
this one:
systemd[1]: PID file /run/sshd.pid not readable (yet?) after start.
systemd[1]: Failed to start SSH Daemon.
systemd[1]: Unit sshd.service entered failed state.
systemd[1]: sshd.service holdoff time over, scheduling restart.
systemd[1]: Stopping SSH Daemon...
systemd[1]: Starting SSH Daemon...
sshd[2315]: Server listening on 0.0.0.0 port 22.
sshd[2315]: Server listening on :: port 22.
sshd[2335]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
sshd[2335]: error: Bind to port 22 on :: failed: Address already in use.
sshd[2335]: fatal: Cannot bind any address.
systemd[1]: Started SSH Daemon.
* Add group 'networkmanager' and implement polkit configuration
that allows users in this group to make persistent, system-wide
changes to NetworkManager settings.
* Add support for ModemManager. 3G modems should work out of the
box now (it does for me...). This introduces a dependency on
pkgs.modemmanager.
* Write NetworkManger config file to Nix store, and let the
daemon use it from there.
Logind sessions are more generally useful than for device ownership.
For instances, ssh logins can be put in their own session (and thus
their own cgroup).
Subtle: dhcpcd.service would call resolvconf during shutdown, which in
turn would start invalidate-nscd.service, causing the shutdown to be
cancelled. Instead, give nscd.service a proper reload action, and do
"systemctl reload --no-block nscd.service". The --no-block is
necessary to prevent that command from waiting until a timeout occurs
(bug in systemd?).
Ugly hack to get around the error "a string that refers to a store
path cannot be appended to a path". The underlying problem is that
you cannot do
"${./file1} ${./file2}"
but you can do
" ${./file1} ${./file2}"
Obviously we should allow the first case as well.
Enabled a bunch of units that ship with systemd. Also added an option
‘boot.systemd.units’ that can be used to define additional units
(e.g. ‘sshd.service’).
I remember the 'named' log was giving annoying messages on systems not ipv6
capable (I can't recall if lacking the kernel ipv6 code or unconfigured ipv6
addresses).
svn path=/nixos/trunk/; revision=34419
are included in the manual, so this causes a different manual to be
built for each machine.
* Clean up indentation of cntlm module.
svn path=/nixos/trunk/; revision=34387
interfaces black-listed for dhcpcd via configuration.nix. I use this option to
disable DHCP for "veth*" interfaces, which are created by LXC for use inside of
virtual machines.
svn path=/nixos/trunk/; revision=34018
lines below a certain marker. This is undesirable because commands
like "ssh-copy-id" add keys to the end of the file. Instead mark
all automatically added lines individually.
svn path=/nixos/trunk/; revision=33918
challenge-response is an authentication method that does not need the
plain text password to be emitted over the (encrypted) connection.
This is nice if you don't fully trust the server.
It is enabled (upstream) by default.
To the end user, it still looks like normal password authentication,
but instead of sending it, it is used to hash some challenge.
This means that if you don't want passwords to be used ever at all,
and just stick to public key authentication, you probably want to
disable this option too.
svn path=/nixos/trunk/; revision=33513
wpa_gui or wpa_cli.
Comes with a default wpa_supplicant.conf, which gets updated through
aforementioned utilities.
svn path=/nixos/trunk/; revision=33510
You can now set the forwardX11 config option for the ssh client and server separately.
For server, the option means "allow clients to request X11 forwarding".
For client, the option means "request X11 forwarding by default on all connections".
I don't think it made sense to couple them. I might not even run the server on some machines.
Also, I ssh to a lot of machines, and rarely want X11 forwarding. The times I want it,
I use the -X/-Y option, or set it in my ~/.ssh/config.
I also decoupled the 'XAuthLocation' logic from forwardX11.
For my case where ssh client doesn't want forwarding by default, it still wants to set the path for the cases I do need it.
As this flag is the one that pulls in X11 dependencies, I changed the minimal profile and the no-x-libs config to check that instead now.
svn path=/nixos/trunk/; revision=33407
delete routes and addresses when it quits. This causes those routes
and addresses to stick around forever, since dhcpcd won't delete
them when it runs next (even if it acquires a new lease on the same
interface). This is bad; in particular the stale (default) routes
can break networking.
The downside to removing "persistent" is that you should never ever
do "stop dhcpcd" on a remote machine configured by dhcpcd.
svn path=/nixos/trunk/; revision=33388
starts the given job and waits until it's running; "stop_check"
checks that the current job hasn't been asked to stop.
svn path=/nixos/trunk/; revision=33214
modprobe.
* Move the implementation of boot.kernelModules from the udev job to
the activation script. This prevents races with the udev job.
* Drop references to the "capability" kernel module, which no longer
exists.
svn path=/nixos/trunk/; revision=33208
JOB", but it does kill the job's main process. So if the post-start
script if waiting for the job's main process to reach some state, it
may hang forever. Thus, the post-start script should monitor
whether its job has been requested to stop and exit in that case.
svn path=/nixos/trunk/; revision=33176
nfsd, as suggested by the nfs-utils README.
Also, rather than relying on Upstart events (which have all sorts of
problems, especially if you have jobs that have multiple
dependencies), we know just let jobs start their on prerequisites.
That is, nfsd starts mountd in its preStart script; mountd starts
statd; statd starts portmap. Likewise, mountall starts statd to
ensure that it can mount NFS filesystems. This means that doing
something like "start nfsd" from the command line will Do The Right
Thing and start the dependencies of nfsd.
svn path=/nixos/trunk/; revision=33172
actually listening. Otherwise we have a race condition during boot
where statd's start can be delayed, causing NFSv3 mounting to fail.
svn path=/nixos/trunk/; revision=33171
It works but it doesn't respect ignoredInterfaces etc.
Probably I forgotten to create some directories (all of them exist on my
laptop). Feel free to fix this module.
svn path=/nixos/trunk/; revision=33097
well because elements could be paths, e.g.
users.extraUsers.root.openssh.authorizedKeys.keyFiles =
[ ./id_key.pub ];
So disable the type check for now.
svn path=/nixos/trunk/; revision=32558
yet). It's smaller than dhclient and has more features
(e.g. automatically detects link status changes, supports
openresolv, does IPv4LL, and supports IPv6 Router Advertisements).
svn path=/nixos/trunk/; revision=32413
event is emitted by dhclient and by the network-interfaces job in
case of statically configured interfaces. Invalidating the cache is
necessary to get rid of negative queries.
svn path=/nixos/trunk/; revision=31779
After the change from revision 30103, nixos-rebuild suddenly consumed
freaky amounts of memory. I had to abort the process after it had
allocated well in excess of 30GB(!) of RAM. I'm not sure what is causing
this behavior, but undoing that assignment fixes the problem. The other
two commits needed to be revoked, too, because they depend on 30103.
svn path=/nixos/trunk/; revision=30127
chroot (the latter doesn't exist).
* vsftpd: make the anonymous user's home read-only, otherwise vsftpd
will fail.
svn path=/nixos/trunk/; revision=27983
Setting both of these options to 'false' configures the OpenSSH daemon to
reject password authentication, i.e. users must have an appropriate key in
~/.ssh/authorized_keys in order to be able to log in.
svn path=/nixos/trunk/; revision=27732
should make it easier to compose with packages that set their own
firewall rules, such as Nova or Libvirt.
* Provide a chain for accepted packets (‘nixos-fw-accept’), requested
by Nicolas Pierron.
svn path=/nixos/trunk/; revision=27607
for (apparently) open TCP connections that connection tracking
doesn't know about. This prevents TCP connections to this machine
from hanging in CLOSE_WAIT for a long time.
svn path=/nixos/trunk/; revision=26802
* Firewall: change the policy of the INPUT chain back to ACCEPT to
prevent a lockup when the Nix store is mounted over the network
(i.e. in our VM tests). This is because as soon as the policy is
set to DROP, the iptables modules that enable access to the network
filesystem cannot be acccessed anymore.
svn path=/nixos/trunk/; revision=26274
