Commit graph

494 commits

Author SHA1 Message Date
Eelco Dolstra
da4f180252 Bring back ‘nixos-container update’ 2014-04-10 15:07:29 +02:00
Eelco Dolstra
3dca6b98cb Fix permissions on /var/lib/startup-done 2014-04-10 15:07:28 +02:00
Eelco Dolstra
819e7c9fbd Add a test for NixOS containers 2014-04-03 16:36:24 +02:00
Eelco Dolstra
1e4fa227fe nixos-container: Don't destroy declarative containers 2014-04-03 16:36:24 +02:00
Eelco Dolstra
b0b3fa928a Disable container support in containers
Systemd-nspawn doesn't support nesting, so providing nixos-container
inside a container doesn't make sense.
2014-04-03 16:36:23 +02:00
Eelco Dolstra
1ad9a654be Make starting a container synchronous
So now "systemctl start container@foo" will only return after the
container has reached multi-user.target.
2014-04-03 16:36:23 +02:00
Eelco Dolstra
269926df0d container-login.nix -> container-config.nix 2014-04-03 16:36:16 +02:00
Eelco Dolstra
fee81c3739 Always enable container logins 2014-04-03 16:35:36 +02:00
Eelco Dolstra
6da72a4456 nixos-container: Rewrite in Perl
Also fix race condition when multiple containers are created
simultaneously (as NixOps tends to do).
2014-03-31 19:49:15 +02:00
Eelco Dolstra
7ebd856a38 Provide nixos-container unconditionally 2014-03-31 19:49:01 +02:00
Eelco Dolstra
07adfae551 Remove hard-coded SSH key 2014-03-24 12:19:28 +01:00
Eelco Dolstra
6010b0e886 nixos-container: NixOps helper functions 2014-03-24 12:19:28 +01:00
Eelco Dolstra
29c469b88d Allow dashes in container names 2014-03-24 12:19:28 +01:00
Eelco Dolstra
ba88db3cd3 Add support for imperative container management
The command nixos-container can now create containers.  For instance,
the following creates and starts a container named ‘database’:

  $ nixos-container create database

The configuration of the container is stored in
/var/lib/containers/<name>/etc/nixos/configuration.nix.  After editing
the configuration, you can make the changes take effect by doing

  $ nixos-container update database

The container can also be destroyed:

  $ nixos-container destroy database

Containers are now executed using a template unit,
‘container@.service’, so the unit in this example would be
‘container@database.service’.
2014-03-24 12:19:27 +01:00
Eelco Dolstra
0cca0f477f nixos-container-shell -> nixos-container { login | root-shell } 2014-03-24 12:19:27 +01:00
Eelco Dolstra
2ace7edb81 Rename systemd.containers -> containers
That NixOS containers use systemd-nspawn is just an implementation
detail (which we could change in the future).
2014-03-24 12:19:27 +01:00
Eelco Dolstra
7ee31c7f94 Fix permissions 2014-03-18 18:04:38 +01:00
Eelco Dolstra
5b10ea1f99 Don't run dhcpcd in containers 2014-03-18 11:39:51 +01:00
Eelco Dolstra
11c4c4ae54 Add command ‘nixos-container-shell’ for logging into a container 2014-03-18 11:36:03 +01:00
Eelco Dolstra
7b82d1ee27 Ensure that the container root can always be accessed via /var/lib/containers 2014-03-18 11:04:54 +01:00
Eelco Dolstra
895bcdd1cb Add support for running a container with a private network interface
For example, the following sets up a container named ‘foo’.  The
container will have a single network interface eth0, with IP address
10.231.136.2.  The host will have an interface c-foo with IP address
10.231.136.1.

  systemd.containers.foo =
    { privateNetwork = true;
      hostAddress = "10.231.136.1";
      localAddress = "10.231.136.2";
      config =
        { services.openssh.enable = true; };
    };

With ‘privateNetwork = true’, the container has the CAP_NET_ADMIN
capability, allowing it to do arbitrary network configuration, such as
setting up firewall rules.  This is secure because it cannot touch the
interfaces of the host.

The helper program ‘run-in-netns’ is needed at the moment because ‘ip
netns exec’ doesn't quite do the right thing (it remounts /sys without
bind-mounting the original /sys/fs/cgroups).
2014-03-18 10:49:25 +01:00
Eelco Dolstra
ac215779dd Give containers a writable /nix/var/nix/{profiles,gcroots}
These are stored on the host in
/nix/var/nix/{profiles,gcroots}/per-container/<container-name> to
ensure that container profiles/roots are not garbage-collected.
2014-03-17 15:23:20 +01:00
Eelco Dolstra
ef8e0266a2 Don't reboot a container when its configuration changes
Instead, just run "switch-to-configuration" inside the container.
2014-03-17 15:03:29 +01:00
Eelco Dolstra
511b86d22d Add an option to reload rather than restart changed units 2014-03-17 15:02:53 +01:00
Eelco Dolstra
28b7d67d08 httpd: Don't require keys.target
This has the unintended side-effect of restarting httpd every time we
run switch-to-configuration, even if httpd hasn't changed (because
we're doing a "stop keys.target" now).  So use a "Wants" dependency
instead.
2014-03-17 15:01:10 +01:00
Eelco Dolstra
f9e2af1e8b switch-to-configuration: Don't require /etc/NIXOS
Check /etc/os-release if /etc/NIXOS doesn't exist.
2014-03-17 14:16:10 +01:00
Eelco Dolstra
f13bd41384 switch-to-configuration: Restart sockets.target 2014-03-17 14:10:48 +01:00
Eelco Dolstra
0d506aa712 Provide a simple way to log into containers
On the host, you can run

  $ socat unix:<path-to-container>/var/lib/login.socket -,echo=0,raw

to get a login prompt.  So this allows logging in even if the
container has no SSH access enabled.

You can also do

  $ socat unix:<path-to-container>/var/lib/root-shell.socket -

to get a plain root shell.  (This socket is only accessible by root,
obviously.)  This makes it easy to execute commands in the container,
e.g.

  $ echo reboot | socat unix:<path-to-container>/var/lib/root-shell.socket -
2014-03-17 14:10:47 +01:00
Eelco Dolstra
1b6c01721d Revert "nixos-manual: show manual on tty8 by default"
This reverts commit b792394119.
Starting the manual on tty8 was intended as a convenience during
installation, not as a general purpose thing.  In fact, given that w3m
runs as root, this is highly insecure!
2014-03-17 12:45:57 +01:00
mornfall
fe995cdedc Merge pull request #1775 from thoughtpolice/duo_unix
Duo Security module and uid/gid support for /etc files
2014-03-16 23:06:01 +01:00
Austin Seipp
29d46452dd nixos: add Duo Security module
This module adds the security.duosec attributes, which you can use to
enable simple two-factor authentication for NixOS logins.

The module currently provides PAM and SSH support, although the PAM unix
system configuration isn't automatically dealt with (although the
configuration is automatically built).

Enabling it is as easy as saying:

  security.duosec.ssh.enable = true;
  security.duosec.ikey       = "XXXXXXXX...";
  security.duosec.skey       = "XXXXXXXX...";
  security.duosec.host       = "api-XXXXXXX.duosecurity.com";
  security.duosec.group      = "duosec";

which will enforce two-factor authentication for SSH logins for users in
the 'duosec' group.

This requires uid/gid support in the environment.etc module.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-16 07:11:50 -05:00
Shea Levy
6cc0cc7ff6 Merge branch 'postgresql-user' of git://github.com/ocharles/nixpkgs
postgresql module: Use the default superuser username
2014-03-15 13:29:52 -04:00
Shea Levy
3f6a654d9c Merge branch 'zsh' of git://github.com/ttuegel/nixpkgs
zsh: don't clobber the environment of non-login shells
2014-03-15 13:11:38 -04:00
Bjørn Forsman
f7006116b3 nixos/gpsd-service: add type declarations to options 2014-03-15 17:35:55 +01:00
Bjørn Forsman
28e5f72f05 nixos/gpsd-service: change from deprecated 'jobs' type to 'systemd'
This has the nice side-effect of making gpsd actually run!

Old behaviour (debugLevel=2):

  systemd[1]: gpsd.service holdoff time over, scheduling restart.
  systemd[1]: Stopping GPSD daemon...
  systemd[1]: Starting GPSD daemon...
  systemd[1]: gpsd.service start request repeated too quickly, refusing to start.
  systemd[1]: Failed to start GPSD daemon.
  systemd[1]: Unit gpsd.service entered failed state.

New behaviour (debugLevel=2):

  gpsd[945]: gpsd: launching (Version 2.95)
  systemd[1]: Started GPSD daemon.
  gpsd[945]: gpsd: listening on port 2947
  gpsd[945]: gpsd: running with effective group ID 27
  gpsd[945]: gpsd: running with effective user ID 23
  gpsd[945]: gpsd: stashing device /dev/ttyUSB0 at slot 0
2014-03-15 17:35:55 +01:00
Peter Simons
abe9d80979 Merge pull request #1939 from wkennington/master.notbit
notbit: Add systemd service for a system daemon
2014-03-15 10:48:36 +01:00
William A. Kennington III
a42e1d5494 notbit: Add systemd service for a system daemon 2014-03-15 04:36:15 -05:00
Peter Simons
f1a30454f6 Merge pull request #1942 from thoughtpolice/fixups
Trivial fixes for my packages
2014-03-15 09:35:35 +01:00
Ricardo M. Correia
bb188bbba7 nixos: Add ZFS auto-snapshotting module 2014-03-15 01:56:42 +01:00
Shea Levy
602cf8d78c Merge branch 'u/zfs-import' of git://github.com/wizeman/nixpkgs
zfs: Misc fixes
2014-03-14 19:40:34 -04:00
Shea Levy
0c12dd3ded Merge branch 'pkgs/systemd/journald_http_gateway' of git://github.com/offlinehacker/nixpkgs
systemd: python support & journal http gateway

Conflicts:
	nixos/modules/misc/ids.nix
2014-03-14 19:16:59 -04:00
Shea Levy
8502d84bd2 Merge branch 'nixos/network-interfaces/ipv6' of git://github.com/offlinehacker/nixpkgs
nixos/network-interfaces: add support for static ipv6 addresses
2014-03-14 18:54:59 -04:00
Shea Levy
a0d574f19b firewall: Allow setting rate limits for pings 2014-03-14 14:55:30 -04:00
Shea Levy
50d144278d mysql module: Specify --basedir
Needed for mariadb and safe for mysql
2014-03-14 11:56:54 -04:00
Corey O'Connor
40de28afca remove users.jenkins config start on slave config.
Uses standard NixOS user config merging.
Work in progress: The slave config does not actually start the slave agent. This just configures a
jenkins user if required. Bare minimum to enable a nice jenkins SSH slave.
2014-03-13 13:01:50 -07:00
Corey O'Connor
292ece425e match systemd style and silent curl progress bar during startup check 2014-03-13 13:01:49 -07:00
Corey O'Connor
9b79d5b298 Add jenkins continuous integration server and user.
By default the jenkins server is executed under the user "jenkins". Which can be configured using
users.jenkins.* options. If a different user is requested by changing services.jenkins.user then
none of the users.jenkins options apply.

This patch does not include jenkins slave configuration. Some config options will probably change
when this is implemented.

Aspects like the user and environment are typically identical between slave and master. The service
configs are different. The design is for users.jenkins to cover the shared aspects while
services.jenkins and services.jenkins-slave cover the master and slave specific aspects,
respectively.

Another option would be to place everything under services.jenkins and have a config that selects
master vs slave.
2014-03-13 13:01:49 -07:00
Shea Levy
59a060523e Don't override the baseUnit's PATH by default 2014-03-12 20:03:14 -04:00
Rickard Nilsson
3ed3c60d0f New NixOS module: services.solr, for running a solr server 2014-03-13 00:32:59 +01:00
Eelco Dolstra
e1984f029d autovt@.service really has to be a symlink 2014-03-13 00:19:10 +01:00