Running it from systemd rather than cron has several advantages:
systemd ensures that only one instance runs at a time; the GC can be
manually started/stopped; and logging goes to the journal.
We still need cron to start the service at the right time, but
hopefully soon we can get rid of cron entirely (once systemd supports
starting a unit at a specific time).
This is mainly useful for specifying mounts that depend on other
units. For example sshfs or davfs need network (and possibly
nameservices).
While systemd makes a distinction between local and remote
filesystems, this only works for in-kernel filesystems such as
nfs and cifs.
fuse-based filesystems (such as sshfs and davs) are classified as
local, so they fail without networking. By explicitly declaring these
mounts as full systemd units (as opposed to having systemd generate
them automatically from /etc/fstab), dependencies can be specified as
on every other unit.
In the future, we can probably port NixOS' filesystems handling to use
these native systemd.mount units and skip /etc/fstab altogether, but
this probably requires additional changes, such as starting systemd
even earlier during boot (stage 1).
I'm not any good at perl, and I only came up with this after many
slow attempts. Any review welcome.
But until this, memtest was broken, and extraPrepareConfig as well, in grub.
Having all services with DefaultDependencies=yes depend on
local-fs.target is annoying, because some of those services might be
necessary to mount local filesystems. For instance, Charon's
send-keys feature requires sshd to be running in order to receive LUKS
encryption keys, which in turn requires dhcpcd, and so on. So we drop
this dependency (and swap.target as well for consistency). If
services require a specific mount, they should use RequiresMountsFor
in any case.
Charon needs this to include the dynamically generated
/root/.vbox-charon-client-key. (We used
users.extraUsers.root.openssh.authorizedKeys.keyFiles for this, but
that no longer works.)
Instead of the somewhat hacky script that inserted public keys
into the users' .ssh/authorized_keys files, use the AuthorizedKeysFile
configuration directive in sshd_config and generate extra key
files for each user (placed in /etc/authorized_keys.d/).
This has rendered my system unbootable, because I forgot to enable AUTOFS4 in my
custom kernel. In addition to AUTOFS4, this includes (hopefully) all other
kernel features needed by systemd, as listed in the README:
REQUIREMENTS:
Linux kernel >= 2.6.39
with devtmpfs
with cgroups (but it's OK to disable all controllers)
optional but strongly recommended: autofs4, ipv6
Autofs4 is not a requirement here, but in our case it turns out that the system
is not able to boot properly with a LUKS-enabled system (or at least not on _my_
system).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The xsession script runs services that depend on a sane environment. Gpg-agent, for
example, runs the program "pinentry-gtk-2" to obtain the password to unlock GnuPG
and SSH keys. That program will display only gibberish unless $FONTCONFIG_FILE is
configured properly. Instead of configuring these variables explicitly one by one,
we just source /etc/profile, which contains the appropriate @shellInit@ code.
This is needed in order to properly lock your screen using the C-a C-x
(lockscreen) command _and_ being back to re-login, because the "other" PAM
service/fallback is to deny authentication.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Thus
networking.interfaces = [ { name = "eth0"; ipAddress = "192.168.15.1"; } ];
can now be written as
networking.interfaces.eth0.ipAddress = "192.168.15.1";
The old notation still works though.
Running agetty on ttyS0 interferes with the backdoor, which uses ttyS0
as its standard error. After agetty starts, writes to the stderr file
descriptor will return EIO (though doing "exec 2>/proc/self/fd/2" will
miracuously fix this).
http://hydra.nixos.org/build/3252782
Cgroups are handled by systemd now. Systemd's cgroup support does not
do all the things that cgrulesengd does, but they're likely to
interact poorly with each other.
‘systemd-vconsole-setup’ by default operates on /dev/tty0, the
currently active tty. Since it puts /dev/tty0 in Unicode or ASCII
mode, if the X server is currently active when it runs, keys such as
Alt-F4 won't reach the X server anymore. So use /dev/tty1 instead.
We now just have a simple attribute called "version24" which replaces all those
pesky versionOlder that were spreading throughout the file and makes things way
more readable.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
By default the path is determined related to ServerRoot. Unfortunately
ServerRoot is pointing to the Nix store and the web server can't write to it.
We now create a directory called "runtime" withen the stateDir and point
DefaultRuntimeDir to it.
For more information on the DefaultRuntimeDir directive, please see:
http://httpd.apache.org/docs/2.4/mod/core.html#defaultruntimedir
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
NameVirtualHost no longer has any effect on version 2.4 and just emits ugly
warnings, so let's not use it if we use 2.4.
More information: http://httpd.apache.org/docs/2.4/upgrading.html#misc
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The Order/Deny directives are deprecated in version 2.4, so we're going to
define two wrappers for allDenied and allGranted in order to properly generate
configurations for both version 2.2 and 2.4.
For more information an access control changes, see:
http://httpd.apache.org/docs/2.4/upgrading.html#access
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Now, MPMs can be loaded at runtime and it's no longer required to compile in one
of the MPM modules statically. So, if version is >= 2.4, load the MPM module
corresponding to the multiProcessingModule value of the service module.
For details, please see: http://httpd.apache.org/docs/2.4/mpm.html
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Beginning with version 2.3, the authn were refactored. As a result, authn_alias
is now part of the new module authn_core, so let's use authn_core instead of
authn_alias.
For details please see: http://httpd.apache.org/docs/2.4/upgrading.html#misc
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The new configuration.nix option 'environment.enableBashCompletion'
determines whether bash completion is automatically enabled system-wide
for all interactive shells or not. The default setting is 'off'.
The new configuration.nix option 'environment.enableBashCompletion'
determines whether bash completion is automatically enabled system-wide
for all interactive shells or not. The default setting is 'off'.
My main reason for adding this is the ability to turn off helpers
altogether. If you are not using any of the special protocols, keeping
them turned off is safest, and in case you do want to use them, it's
best to configure them through the new CT target for your network
topology. Perhaps some sane defaults for nixos can be examined in the
future.
This change has no impact if you don't touch the added options, so no
need to adapt.
This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which
only works for ipv4. Furthermore, it's nicer to handle this kind of
filtering in the firewall.
There are some more subtle differences, please see:
https://home.regit.org/netfilter-en/secure-use-of-helpers/
I chose to enable this by default (when the firewall is enabled) as
it's a good idea in general. Only people with advanced routing needs
might not want this, but I guess they don't use the nixos firewall
anyway and use a custom solution. Furthermore, the option only becomes
available in kernel 3.3+, so conservative nixos users that just stick
to the default kernel will not need to act now just yet.
The triggers are just arbitrary strings that are included in the unit
under X-Restart-Triggers. The idea is that if they change between
reconfigurations, switch-to-configuration will restart the unit
because its store path changed. This is mostly useful for services
that implicitly depend on generated files in /etc. Thus you can say
restartTriggers = [ confFile ];
where ‘confFile’ is the derivation that generated the /etc file in
question.
Flushing is bad if the Nix store is on a remote filesystem accessed
over that interface.
http://hydra.nixos.org/build/3184162
Also added a interface option ‘prefixLength’ as a better alternative
to ‘subnetMask’.
Instead it's enough to depend on
sys-subsystem-net-devices-<interface>.device, which in turn has a
"wants" dependency on the service (if any) that creates the interface.
For each statically configured interface, we now create a unit
‘<interface>-cfg.service’ which gets started as soon as the network
device comes up. Similarly, each bridge defined in
‘networking.bridges’ and virtual interface in ‘networking.interfaces’
is created by a service ‘<interface>.service’.
So if we have
networking.bridges.br0.interfaces = [ "eth0" "eth1" ];
networking.interfaces =
[ { name = "br0";
ipAddress = "192.168.1.1";
}
];
then there will be a unit ‘br0.service’ that depends on
‘sys-subsystem-net-devices-eth0.device’ and
‘sys-subsystem-net-devices-eth1.device’, and a unit ‘br0-cfg.service’
that depends on ‘sys-subsystem-net-devices-br0.device’.
The special handling for cronjobs should probably move to the cron
module (logcheckIgnore = bool option) in the future, as it's more
natural to just declare a cronjob, and mark it as "log-ignored",
instead of adding cronjobs through logcheck.
But as systemCronjobs is not an attrset yet (just simple strings),
this would require adding an attrset for cronjobs or parsing strings
in the nix language to get hold of the cron-user and command.
So for now, I keep the interface within logcheck's module.
However SLIM is still broken and you have to create a
/usr/lib/dri/fglrx_dri.so symlink pointing to
/run/opengl-driver/lib/fglrx_dri.so
At least fgl_glxgears shows 10 times more frames per second now
This is broken because it requires restarting applications to see new
NSS modules. The proper way to handle NSS modules is through nscd.
See commit 554ae9908b.
The upower daemon needs the gdbus command (which is weird given that
upower links against dbus_glib, but ah well...). This fixes suspend
in KDE with systemd.
Alsa-utils provides a udev rule to restore volume settings, so use
that instead of restoring them from a systemd service. The
"alsa-store" service saves the settings on shutdown.
It's not enough to say "after udev-settle.service" since
udev-settle.service is not wanted/required anywhere - we need to say
"wants udev-settle.service" as well.
This should fix problems with ALSA and X11 initialisation that people
have been seeing.
So instead of:
boot.systemd.services."foo".serviceConfig =
''
StartLimitInterval=10
CPUShare=500
'';
you can say:
boot.systemd.services."foo".serviceConfig.StartLimitInterval = 10;
boot.systemd.services."foo".serviceConfig.CPUShare = 500;
This way all unit options are available and users can set/override
options in configuration.nix.
This makes it easier for systemd to track it and avoids race conditions such as
this one:
systemd[1]: PID file /run/sshd.pid not readable (yet?) after start.
systemd[1]: Failed to start SSH Daemon.
systemd[1]: Unit sshd.service entered failed state.
systemd[1]: sshd.service holdoff time over, scheduling restart.
systemd[1]: Stopping SSH Daemon...
systemd[1]: Starting SSH Daemon...
sshd[2315]: Server listening on 0.0.0.0 port 22.
sshd[2315]: Server listening on :: port 22.
sshd[2335]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
sshd[2335]: error: Bind to port 22 on :: failed: Address already in use.
sshd[2335]: fatal: Cannot bind any address.
systemd[1]: Started SSH Daemon.
When spamd isn't running as 'root', it cannot access the usual ~/.spamassassin
path where user-specific files normally reside. Instead, we use the path
/var/lib/spamassassin-<user> to store those home directories.
* Add group 'networkmanager' and implement polkit configuration
that allows users in this group to make persistent, system-wide
changes to NetworkManager settings.
* Add support for ModemManager. 3G modems should work out of the
box now (it does for me...). This introduces a dependency on
pkgs.modemmanager.
* Write NetworkManger config file to Nix store, and let the
daemon use it from there.
It specifies what mingetty will be stopped, if a bad filesystem
triggers an emergency shell.
That should be ttyS0 on headless systems, and in that case,
nixos should stop the ttyS0 mingetty from getting in.
I had some problems with LDAP user lookups not working properly
at boot. I found that invalidating passwd and group on the
ip-up event (when nscd-invalidate starts) helped a bit.
Systemd sets locale variables like $LANG when running services, so
$LOCALE_ARCHIVE should also be set to prevent warnings like "perl:
warning: Setting locale failed.".
If passno is set, then systemd will instantiate a systemd-fsck unit,
which in turn will instantiate a <device>.device unit
(e.g. "none.device"). Since no such device exists, mounting will
fail. So don't set passno.
kernel 3.4+ needs cifs-utils to mount CIFS filesystems.
the kernel itself (and busybox's cifs mount code) are no longer able
to do this in some/most cases and will error out saying:
"CIFS VFS: connecting to DFS root not implemented yet"
Nixos' qemu-vm target is hurt by this, as it wants to mount /nix/store
via cifs very early in the boot process.
This commit makes sure the initrd for affected kernels is built with
cifs-utils if needed.
proxy_arp (and proxy_ndp for ipv6) can be turned on on a few
interfaces (at least 2).
This is mainly useful for creating pseudo-bridges between a real
interface and a virtual network such as VPN or a virtual machine for
interfaces that don't support real bridging (most wlan interfaces).
As ARP proxying acts slightly above the link-layer, below-ip traffic
isn't bridged, so things like DHCP won't work. The advantage above
using NAT lies in the fact that no IP addresses are shared, so all
hosts are reachable/routeable.
If a service has a corresponding socket unit, then stop the socket
before stopping the service. This prevents it from being restarted
behind our backs. Also, don't restart the service; it will be
restarted on demand via the socket.