movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-27 03:26:50 +03:00
Code Activity

Merge remote-tracking branch 'upstream/master' into hardened-stdenv

Browse source
This commit is contained in:
Robin Gloster 2016-05-30 19:39:34 +00:00
commit 2d382f3d98
711 changed files with 49079 additions and 11672 deletions
Download patch file Download diff file Expand all files Collapse all files

54
nixos/modules/config/fonts/fontdir.nix
View file

@ -4,47 +4,17 @@ with lib;
let
fontDirs = config.fonts.fonts;
localDefs = with pkgs.builderDefs; pkgs.builderDefs.passthru.function rec {
src = "";/* put a fetchurl here */
buildInputs = [pkgs.xorg.mkfontdir pkgs.xorg.mkfontscale];
inherit fontDirs;
installPhase = fullDepEntry ("
list='';
for i in ${toString fontDirs} ; do
if [ -d \$i/ ]; then
list=\"\$list \$i\";
fi;
done
list=\$(find \$list -name fonts.dir -o -name '*.ttf' -o -name '*.otf');
fontDirs='';
for i in \$list ; do
fontDirs=\"\$fontDirs \$(dirname \$i)\";
done;
mkdir -p \$out/share/X11-fonts/;
find \$fontDirs -type f -o -type l | while read i; do
j=\"\${i##*/}\"
if ! test -e \"\$out/share/X11-fonts/\${j}\"; then
ln -s \"\$i\" \"\$out/share/X11-fonts/\${j}\";
fi;
done;
cd \$out/share/X11-fonts/
rm fonts.dir
rm fonts.scale
rm fonts.alias
mkfontdir
mkfontscale
cat \$( find ${pkgs.xorg.fontalias}/ -name fonts.alias) >fonts.alias
") ["minInit" "addInputs"];
};
x11Fonts = with localDefs; stdenv.mkDerivation rec {
name = "X11-fonts";
builder = writeScript (name + "-builder")
(textClosure localDefs
[installPhase doForceShare doPropagate]);
};
x11Fonts = pkgs.runCommand "X11-fonts" { } ''
mkdir -p "$out/share/X11-fonts"
find ${toString config.fonts.fonts} \
\( -name fonts.dir -o -name '*.ttf' -o -name '*.otf' \) \
-exec ln -sf -t "$out/share/X11-fonts" '{}' \;
cd "$out/share/X11-fonts"
rm -f fonts.dir fonts.scale fonts.alias
${pkgs.xorg.mkfontdir}/bin/mkfontdir
${pkgs.xorg.mkfontscale}/bin/mkfontscale
cat $(find ${pkgs.xorg.fontalias}/ -name fonts.alias) >fonts.alias
'';
in
@ -70,6 +40,8 @@ in
environment.systemPackages = [ x11Fonts ];
environment.pathsToLink = [ "/share/X11-fonts" ];
};
}

2
nixos/modules/config/ldap.nix
View file

@ -192,7 +192,7 @@ in
system.activationScripts = mkIf insertLdapPassword {
ldap = stringAfter [ "etc" "groups" "users" ] ''
if test -f "${cfg.bind.password}" ; then
echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig} - > /etc/ldap.conf.bindpw
echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig.source} - > /etc/ldap.conf.bindpw
mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf
chmod 600 /etc/ldap.conf
fi

20
nixos/modules/config/networking.nix
View file

@ -11,6 +11,9 @@ let
config.services.dnsmasq.resolveLocalQueries;
hasLocalResolver = config.services.bind.enable || dnsmasqResolve;
resolvconfOptions = cfg.resolvconfOptions
++ optional cfg.dnsSingleRequest "single-request"
++ optional cfg.dnsExtensionMechanism "ends0";
in
{
@ -59,6 +62,14 @@ in
'';
};
networking.resolvconfOptions = lib.mkOption {
type = types.listOf types.str;
default = [];
example = [ "ndots:1" "rotate" ];
description = ''
Set the options in <filename>/etc/resolv.conf</filename>.
'';
};
networking.proxy = {
@ -171,12 +182,9 @@ in
# Invalidate the nscd cache whenever resolv.conf is
# regenerated.
libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service 2> /dev/null'
'' + optionalString cfg.dnsSingleRequest ''
# only send one DNS request at a time
resolv_conf_options+=' single-request'
'' + optionalString cfg.dnsExtensionMechanism ''
# enable extension mechanisms for DNS
resolv_conf_options+=' edns0'
'' + optionalString (length resolvconfOptions > 0) ''
# Options as described in resolv.conf(5)
resolv_conf_options='${concatStringsSep " " resolvconfOptions}'
'' + optionalString hasLocalResolver ''
# This hosts runs a full-blown DNS resolver.
name_servers='127.0.0.1'

4
nixos/modules/config/shells-environment.nix
View file

@ -150,10 +150,6 @@ in
system.build.binsh = pkgs.bashInteractive;
# Ensure TERMINFO is set appropriately *before* user shells are run,
# as they may depend on it
environment.sessionVariables.TERMINFO = "/run/current-system/sw/share/terminfo";
# Set session variables in the shell as well. This is usually
# unnecessary, but it allows changes to session variables to take
# effect without restarting the session (e.g. by opening a new

2
nixos/modules/installer/cd-dvd/iso-image.nix
View file

@ -79,7 +79,7 @@ let
echo "options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} nomodeset" >> $out/loader/entries/nixos-livecd-nomodeset.conf
echo "default nixos-livecd" > $out/loader/loader.conf
echo "timeout ${builtins.toString config.boot.loader.gummiboot.timeout}" >> $out/loader/loader.conf
echo "timeout ${builtins.toString config.boot.loader.timeout}" >> $out/loader/loader.conf
'';
efiImg = pkgs.runCommand "efi-image_eltorito" { buildInputs = [ pkgs.mtools pkgs.libfaketime ]; }

33
nixos/modules/installer/tools/nixos-generate-config.pl
View file

@ -1,5 +1,6 @@
#! @perl@
use strict;
use Cwd 'abs_path';
use File::Spec;
use File::Path;
@ -69,6 +70,7 @@ for (my $n = 0; $n < scalar @ARGV; $n++) {
my @attrs = ();
my @kernelModules = ();
my @initrdKernelModules = ();
my @initrdAvailableKernelModules = ();
my @modulePackages = ();
my @imports;
@ -379,7 +381,7 @@ EOF
# Is this a btrfs filesystem?
if ($fsType eq "btrfs") {
my ($status, @id_info) = runCommand("btrfs subvol show $rootDir$mountPoint");
if ($status != 0 || join("", @msg) =~ /ERROR:/) {
if ($status != 0 || join("", @id_info) =~ /ERROR:/) {
die "Failed to retrieve subvolume info for $mountPoint\n";
}
my @ids = join("", @id_info) =~ m/Subvolume ID:[ \t\n]*([^ \t\n]*)/;
@ -408,7 +410,7 @@ EOF
EOF
if (scalar @extraOptions > 0) {
$fileSystems .= <<EOF;
$fileSystems .= <<EOF;
options = \[ ${\join " ", map { "\"" . $_ . "\"" } uniq(@extraOptions)} \];
EOF
}
@ -417,6 +419,25 @@ EOF
};
EOF
# If this filesystem is on a LUKS device, then add a
# boot.initrd.luks.devices entry.
if (-e $device) {
my $deviceName = basename(abs_path($device));
if (-e "/sys/class/block/$deviceName"
&& read_file("/sys/class/block/$deviceName/dm/uuid", err_mode => 'quiet') =~ /^CRYPT-LUKS/)
{
my @slaves = glob("/sys/class/block/$deviceName/slaves/*");
if (scalar @slaves == 1) {
my $slave = "/dev/" . basename($slaves[0]);
if (-e $slave) {
my $dmName = read_file("/sys/class/block/$deviceName/dm/name");
chomp $dmName;
$fileSystems .= " boot.initrd.luks.devices.\"$dmName\".device = \"${\(findStableDevPath $slave)}\";\n\n";
}
}
}
}
}
@ -440,7 +461,7 @@ sub toNixList {
sub multiLineList {
my $indent = shift;
return " [ ]" if !@_;
$res = "\n${indent}[ ";
my $res = "\n${indent}[ ";
my $first = 1;
foreach my $s (@_) {
$res .= "$indent " if !$first;
@ -457,7 +478,7 @@ my $modulePackages = toNixList(uniq @modulePackages);
my $fsAndSwap = "";
if (!$noFilesystems) {
$fsAndSwap = "\n${fileSystems} ";
$fsAndSwap = "\n$fileSystems ";
$fsAndSwap .= "swapDevices =" . multiLineList(" ", @swapDevices) . ";\n";
}
@ -494,7 +515,7 @@ if ($showHardwareConfig) {
if ($force || ! -e $fn) {
print STDERR "writing $fn...\n";
my $bootloaderConfig = "";
my $bootLoaderConfig = "";
if (-e "/sys/firmware/efi/efivars") {
$bootLoaderConfig = <<EOF;
# Use the gummiboot efi boot loader.
@ -568,7 +589,7 @@ $bootLoaderConfig
# };
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "@nixosRelease@";
system.stateVersion = "${\(qw(@nixosRelease@))}";
}
EOF

4
nixos/modules/misc/ids.nix
View file

@ -267,6 +267,8 @@
graylog = 243;
sniproxy = 244;
nzbget = 245;
mosquitto = 246;
toxvpn = 247;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -504,6 +506,8 @@
emby = 242;
sniproxy = 244;
nzbget = 245;
mosquitto = 246;
#toxvpn = 247; # unused
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

8
nixos/modules/misc/version.nix
View file

@ -5,9 +5,11 @@ with lib;
let
cfg = config.system;
releaseFile = "${toString pkgs.path}/.version";
suffixFile = "${toString pkgs.path}/.version-suffix";
releaseFile = "${toString pkgs.path}/.version";
suffixFile = "${toString pkgs.path}/.version-suffix";
revisionFile = "${toString pkgs.path}/.git-revision";
gitRepo = "${toString pkgs.path}/.git";
gitCommitId = lib.substring 0 7 (commitIdFromGitRepo gitRepo);
in
{
@ -102,6 +104,8 @@ in
# changing them would not rebuild the manual
nixosLabel = mkDefault (maybeEnv "NIXOS_LABEL" cfg.nixosVersion);
nixosVersion = mkDefault (maybeEnv "NIXOS_VERSION" (cfg.nixosRelease + cfg.nixosVersionSuffix));
nixosRevision = mkIf (pathExists gitRepo) (mkDefault gitCommitId);
nixosVersionSuffix = mkIf (pathExists gitRepo) (mkDefault (".git." + gitCommitId));
# Note: code names must only increase in alphabetical order.
nixosCodeName = "Flounder";

5
nixos/modules/module-list.nix
View file

@ -62,7 +62,8 @@
./programs/bash/bash.nix
./programs/blcr.nix
./programs/cdemu.nix
./programs/command-not-found/command-not-found.nix
# see https://github.com/NixOS/nixos-channel-scripts/issues/4
#./programs/command-not-found/command-not-found.nix
./programs/dconf.nix
./programs/environment.nix
./programs/freetds.nix
@ -346,6 +347,7 @@
./services/networking/mjpg-streamer.nix
./services/networking/minidlna.nix
./services/networking/miniupnpd.nix
./services/networking/mosquitto.nix
./services/networking/mstpd.nix
./services/networking/murmur.nix
./services/networking/namecoind.nix
@ -395,6 +397,7 @@
./services/networking/tftpd.nix
./services/networking/tlsdated.nix
./services/networking/tox-bootstrapd.nix
./services/networking/toxvpn.nix
./services/networking/tvheadend.nix
./services/networking/unbound.nix
./services/networking/unifi.nix

12
nixos/modules/programs/fish.nix
View file

@ -84,19 +84,19 @@ in
set fish_function_path $fish_function_path ${pkgs.fish-foreign-env}/share/fish-foreign-env/functions
fenv source ${config.system.build.setEnvironment} 1> /dev/null
fenv source /etc/fish/foreign-env/shellInit 1> /dev/null
fenv source ${config.system.build.setEnvironment} > /dev/null ^&1
fenv source /etc/fish/foreign-env/shellInit > /dev/null
${cfg.shellInit}
if builtin status --is-login
fenv source /etc/fish/foreign-env/loginShellInit 1> /dev/null
if status --is-login
fenv source /etc/fish/foreign-env/loginShellInit > /dev/null
${cfg.loginShellInit}
end
if builtin status --is-interactive
if status --is-interactive
${fishAliases}
fenv source /etc/fish/foreign-env/interactiveShellInit 1> /dev/null
fenv source /etc/fish/foreign-env/interactiveShellInit > /dev/null
${cfg.interactiveShellInit}
end
'';

2
nixos/modules/programs/man.nix
View file

@ -19,7 +19,7 @@ with lib;
config = mkIf config.programs.man.enable {
environment.systemPackages = [ pkgs.man ];
environment.systemPackages = [ pkgs.man-db ];
environment.pathsToLink = [ "/share/man" ];

143
nixos/modules/programs/tmux.nix
View file

@ -5,8 +5,57 @@ let
cfg = config.programs.tmux;
in
{
defaultKeyMode = "emacs";
defaultResize = 5;
defaultShortcut = "b";
defaultTerminal = "screen";
boolToStr = value: if value then "on" else "off";
tmuxConf = ''
set -g default-terminal "${cfg.terminal}"
set -g base-index ${toString cfg.baseIndex}
setw -g pane-base-index ${toString cfg.baseIndex}
${if cfg.newSession then "new-session" else ""}
${if cfg.reverseSplit then ''
bind v split-window -h
bind s split-window -v
'' else ""}
set -g status-keys ${cfg.keyMode}
set -g mode-keys ${cfg.keyMode}
${if cfg.keyMode == "vi" then ''
bind h select-pane -L
bind j select-pane -D
bind k select-pane -U
bind l select-pane -R
bind -r H resize-pane -L ${toString cfg.resizeAmount}
bind -r J resize-pane -D ${toString cfg.resizeAmount}
bind -r K resize-pane -U ${toString cfg.resizeAmount}
bind -r L resize-pane -R ${toString cfg.resizeAmount}
'' else ""}
${if (cfg.shortcut != defaultShortcut) then ''
# rebind main key: C-${cfg.shortcut}
unbind C-${defaultShortcut}
set -g prefix C-${cfg.shortcut}
bind ${cfg.shortcut} send-prefix
bind C-${cfg.shortcut} last-window
'' else ""}
setw -g aggressive-resize ${boolToStr cfg.aggressiveResize}
setw -g clock-mode-style ${if cfg.clock24 then "24" else "12"}
set -s escape-time ${toString cfg.escapeTime}
set -g history-limit ${toString cfg.historyLimit}
${cfg.extraTmuxConf}
'';
in {
###### interface
options = {
@ -14,13 +63,92 @@ in
enable = mkEnableOption "<command>tmux</command> - a <command>screen</command> replacement.";
tmuxconf = mkOption {
aggressiveResize = mkOption {
default = false;
example = true;
type = types.bool;
description = ''
Resize the window to the size of the smallest session for which it is the current window.
'';
};
baseIndex = mkOption {
default = 0;
example = 1;
type = types.int;
description = "Base index for windows and panes.";
};
clock24 = mkOption {
default = false;
example = true;
type = types.bool;
description = "Use 24 hour clock.";
};
escapeTime = mkOption {
default = 500;
example = 0;
type = types.int;
description = "Time in milliseconds for which tmux waits after an escape is input.";
};
extraTmuxConf = mkOption {
default = "";
description = ''
The contents of /etc/tmux.conf
Additional contents of /etc/tmux.conf
'';
type = types.lines;
};
historyLimit = mkOption {
default = 2000;
example = 5000;
type = types.int;
description = "Maximum number of lines held in window history.";
};
keyMode = mkOption {
default = defaultKeyMode;
example = "vi";
type = types.enum [ "emacs" "vi" ];
description = "VI or Emacs style shortcuts.";
};
newSession = mkOption {
default = false;
example = true;
type = types.bool;
description = "Automatically spawn a session if trying to attach and none are running.";
};
reverseSplit = mkOption {
default = false;
example = true;
type = types.bool;
description = "Reverse the window split shortcuts.";
};
resizeAmount = mkOption {
default = defaultResize;
example = 10;
type = types.int;
description = "Number of lines/columns when resizing.";
};
shortcut = mkOption {
default = defaultShortcut;
example = "a";
type = types.str;
description = "Ctrl following by this key is used as the main shortcut.";
};
terminal = mkOption {
default = defaultTerminal;
example = "screen-256color";
type = types.str;
description = "Set the $TERM variable.";
};
};
};
@ -28,8 +156,13 @@ in
config = mkIf cfg.enable {
environment = {
etc."tmux.conf".text = tmuxConf;
systemPackages = [ pkgs.tmux ];
etc."tmux.conf".text = cfg.tmuxconf;
variables = {
TMUX_TMPDIR = ''''${XDG_RUNTIME_DIR:-"/run/user/\$(id -u)"}'';
};
};
};
}

2
nixos/modules/rename.nix
View file

@ -34,6 +34,8 @@ with lib;
# Old Grub-related options.
(mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
(mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])
(mkRenamedOptionModule [ "boot" "loader" "grub" "timeout" ] [ "boot" "loader" "timeout" ])
(mkRenamedOptionModule [ "boot" "loader" "gummiboot" "timeout" ] [ "boot" "loader" "timeout" ])
# smartd
(mkRenamedOptionModule [ "services" "smartd" "deviceOpts" ] [ "services" "smartd" "defaults" "monitored" ])

2
nixos/modules/security/setuid-wrappers.nix
View file

@ -96,7 +96,7 @@ in
}:
''
if ! source=${if source != "" then source else "$(PATH=$SETUID_PATH type -tP ${program})"}; then
if ! source=${if source != "" then source else "$(readlink -f $(PATH=$SETUID_PATH type -tP ${program}))"}; then
# If we can't find the program, fall back to the
# system profile.
source=/nix/var/nix/profiles/default/bin/${program}

4
nixos/modules/services/computing/slurm/slurm.nix
View file

@ -40,7 +40,7 @@ in
defaultText = "pkgs.slurm-llnl";
example = literalExample "pkgs.slurm-llnl-full";
description = ''
The packge to use for slurm binaries.
The package to use for slurm binaries.
'';
};
@ -111,7 +111,7 @@ in
builder = pkgs.writeText "builder.sh" ''
source $stdenv/setup
mkdir -p $out/bin
find ${cfg.package}/bin -type f -executable | while read EXE
find ${getBin cfg.package}/bin -type f -executable | while read EXE
do
exename="$(basename $EXE)"
wrappername="$out/bin/$exename"

24
nixos/modules/services/databases/redis.nix
View file

@ -68,6 +68,22 @@ in
description = "The port for Redis to listen to.";
};
vmOverCommit = mkOption {
type = types.bool;
default = false;
description = ''
Set vm.overcommit_memory to 1 (Suggested for Background Saving: http://redis.io/topics/faq)
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Whether to open ports in the firewall for the server.
'';
};
bind = mkOption {
type = with types; nullOr str;
default = null; # All interfaces
@ -193,6 +209,14 @@ in
config = mkIf config.services.redis.enable {
boot.kernel.sysctl = mkIf cfg.vmOverCommit {
"vm.overcommit_memory" = "1";
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ];
};
users.extraUsers.redis =
{ name = cfg.user;
uid = config.ids.uids.redis;

2
nixos/modules/services/desktops/gnome3/gnome-keyring.nix
View file

@ -36,7 +36,7 @@ in
environment.systemPackages = [ gnome3.gnome_keyring ];
services.dbus.packages = [ gnome3.gnome_keyring ];
services.dbus.packages = [ gnome3.gnome_keyring gnome3.gcr ];
};

11
nixos/modules/services/mail/opensmtpd.nix
View file

@ -107,7 +107,16 @@ in {
wantedBy = [ "multi-user.target" ];
wants = [ "network.target" ];
after = [ "network.target" ];
preStart = "mkdir -p /var/spool";
preStart = ''
mkdir -p /var/spool/smtpd
mkdir -p /var/spool/smtpd/offline
chown root.smtpq /var/spool/smtpd/offline
chmod 770 /var/spool/smtpd/offline
mkdir -p /var/spool/smtpd/purge
chmod 700 /var/spool/smtpd/purge
'';
serviceConfig.ExecStart = "${opensmtpd}/sbin/smtpd -d -f ${conf} ${args}";
environment.OPENSMTPD_PROC_PATH = "${procEnv}/libexec/opensmtpd";
};

2
nixos/modules/services/network-filesystems/diod.nix
View file

@ -153,7 +153,7 @@ in
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.diod}/sbin/diod -f -c ${diodConfig}";
Capabilities = "cap_net_bind_service+=ep";
CapabilityBoundingSet = "cap_net_bind_service+=ep";
};
};
};

6
nixos/modules/services/networking/chrony.nix
View file

@ -64,7 +64,7 @@ in
###### implementation
config = mkIf config.services.chrony.enable {
config = mkIf cfg.enable {
# Make chronyc available in the system path
environment.systemPackages = [ pkgs.chrony ];
@ -101,12 +101,14 @@ in
home = stateDir;
};
systemd.services.ntpd.enable = false;
systemd.services.ntpd.enable = mkForce false;
systemd.services.chronyd =
{ description = "chrony NTP daemon";
wantedBy = [ "multi-user.target" ];
wants = [ "time-sync.target" ];
before = [ "time-sync.target" ];
after = [ "network.target" ];
conflicts = [ "ntpd.service" "systemd-timesyncd.service" ];

2
nixos/modules/services/networking/dnscrypt-proxy.nix
View file

@ -90,7 +90,7 @@ in
example = literalExample "${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv";
default = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv";
sha256 = "07kbbisrvrqdxif3061hxj3whin3llg4nh50ln7prisi2vbd76xd";
sha256 = "0lac20qhcgjxxiiz8jzcn3hkqj4ywl58hahp5n2i6vf9akfyqp7c";
};
defaultText = "pkgs.fetchurl { url = ...; sha256 = ...; }";
};

219
nixos/modules/services/networking/mosquitto.nix Normal file
View file

@ -0,0 +1,219 @@
{ config, lib, pkgs, ...}:
with lib;
let
cfg = config.services.mosquitto;
listenerConf = optionalString cfg.ssl.enable ''
listener ${toString cfg.ssl.port} ${cfg.ssl.host}
cafile ${cfg.ssl.cafile}
certfile ${cfg.ssl.certfile}
keyfile ${cfg.ssl.keyfile}
'';
mosquittoConf = pkgs.writeText "mosquitto.conf" ''
pid_file /run/mosquitto/pid
acl_file ${aclFile}
persistence true
allow_anonymous ${if cfg.allowAnonymous then "true" else "false"}
bind_address ${cfg.host}
port ${toString cfg.port}
${listenerConf}
${cfg.extraConf}
'';
userAcl = (concatStringsSep "\n\n" (mapAttrsToList (n: c:
"user ${n}\n" + (concatStringsSep "\n" c.acl)) cfg.users
));
aclFile = pkgs.writeText "mosquitto.acl" ''
${cfg.aclExtraConf}
${userAcl}
'';
in
{
###### Interface
options = {
services.mosquitto = {
enable = mkEnableOption "Enable the MQTT Mosquitto broker.";
host = mkOption {
default = "127.0.0.1";
example = "0.0.0.0";
type = types.string;
description = ''
Host to listen on without SSL.
'';
};
port = mkOption {
default = 1883;
example = 1883;
type = types.int;
description = ''
Port on which to listen without SSL.
'';
};
ssl = {
enable = mkEnableOption "Enable SSL listener.";
cafile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to PEM encoded CA certificates.";
};
certfile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to PEM encoded server certificate.";
};
keyfile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to PEM encoded server key.";
};
host = mkOption {
default = "0.0.0.0";
example = "localhost";
type = types.string;
description = ''
Host to listen on with SSL.
'';
};
port = mkOption {
default = 8883;
example = 8883;
type = types.int;
description = ''
Port on which to listen with SSL.
'';
};
};
dataDir = mkOption {
default = "/var/lib/mosquitto";
type = types.path;
description = ''
The data directory.
'';
};
users = mkOption {
type = types.attrsOf (types.submodule {
options = {
password = mkOption {
type = with types; uniq (nullOr str);
default = null;
description = ''
Specifies the (clear text) password for the MQTT User.
'';
};
hashedPassword = mkOption {
type = with types; uniq (nullOr str);
default = null;
description = ''
Specifies the hashed password for the MQTT User.
<option>hashedPassword</option> overrides <option>password</option>.
To generate hashed password install <literal>mkpasswd</literal>
package and run <literal>mkpasswd -m sha-512</literal>.
'';
};
acl = mkOption {
type = types.listOf types.string;
example = [ "topic read A/B" "topic A/#" ];
description = ''
Control client access to topics on the broker.
'';
};
};
});
example = { john = { password = "123456"; acl = [ "topic readwrite john/#" ]; }; };
description = ''
A set of users and their passwords and ACLs.
'';
};
allowAnonymous = mkOption {
default = false;
example = true;
type = types.bool;
description = ''
Allow clients to connect without authentication.
'';
};
extraConf = mkOption {
default = "";
type = types.lines;
description = ''
Extra config to append to `mosquitto.conf` file.
'';
};
aclExtraConf = mkOption {
default = "";
type = types.lines;
description = ''
Extra config to prepend to the ACL file.
'';
};
};
};
###### Implementation
config = mkIf cfg.enable {
systemd.services.mosquitto = {
description = "Mosquitto MQTT Broker Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "forking";
User = "mosquitto";
Group = "mosquitto";
RuntimeDirectory = "mosquitto";
WorkingDirectory = cfg.dataDir;
Restart = "on-failure";
ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf} -d";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
PIDFile = "/run/mosquitto/pid";
};
preStart = ''
rm -f ${cfg.dataDir}/passwd
touch ${cfg.dataDir}/passwd
'' + concatStringsSep "\n" (
mapAttrsToList (n: c:
if c.hashedPassword != null then
"echo '${n}:${c.hashedPassword}' > ${cfg.dataDir}/passwd"
else optionalString (c.password != null)
"${pkgs.mosquitto}/bin/mosquitto_passwd -b ${cfg.dataDir}/passwd ${n} ${c.password}"
) cfg.users);
};
users.extraUsers.mosquitto = {
description = "Mosquitto MQTT Broker Daemon owner";
group = "mosquitto";
uid = config.ids.uids.mosquitto;
home = cfg.dataDir;
createHome = true;
};
users.extraGroups.mosquitto.gid = config.ids.gids.mosquitto;
};
}

8
nixos/modules/services/networking/networkmanager.nix
View file

@ -114,12 +114,10 @@ in {
# Ugly hack for using the correct gnome3 packageSet
basePackages = mkOption {
type = types.attrsOf types.package;
default = { inherit modemmanager wpa_supplicant
default = { inherit networkmanager modemmanager wpa_supplicant
networkmanager_openvpn networkmanager_vpnc
networkmanager_openconnect
networkmanager_pptp networkmanager_l2tp;
networkmanager = networkmanager.out;
};
networkmanager_pptp networkmanager_l2tp; };
internal = true;
};
@ -189,7 +187,7 @@ in {
boot.kernelModules = [ "ppp_mppe" ]; # Needed for most (all?) PPTP VPN connections.
environment.etc = with mapAttrs (name: getBin) cfg.basePackages; [
environment.etc = with cfg.basePackages; [
{ source = ipUpScript;
target = "NetworkManager/dispatcher.d/01nixos-ip-up";
}

2
nixos/modules/services/networking/ntpd.nix
View file

@ -82,6 +82,8 @@ in
{ description = "NTP Daemon";
wantedBy = [ "multi-user.target" ];
wants = [ "time-sync.target" ];
before = [ "time-sync.target" ];
preStart =
''

3
nixos/modules/services/networking/openntpd.nix
View file

@ -64,7 +64,8 @@ in
systemd.services.openntpd = {
description = "OpenNTP Server";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
wants = [ "network-online.target" "time-sync.target" ];
before = [ "time-sync.target" ];
after = [ "dnsmasq.service" "bind.service" "network-online.target" ];
serviceConfig.ExecStart = "${package}/sbin/ntpd -d -f ${cfgFile} ${cfg.extraOptions}";
};

4
nixos/modules/services/networking/syncthing.nix
View file

@ -121,7 +121,7 @@ in
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = true;
ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -home=${cfg.dataDir}";
ExecStart = "${cfg.package}/bin/syncthing -no-browser -home=${cfg.dataDir}";
};
};
};
@ -129,7 +129,7 @@ in
systemd.user.services = {
syncthing = header // {
serviceConfig = service // {
ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser";
ExecStart = "${cfg.package}/bin/syncthing -no-browser";
};
};
};

54
nixos/modules/services/networking/toxvpn.nix Normal file
View file

@ -0,0 +1,54 @@
{ config, stdenv, pkgs, lib, ... }:
with lib;
{
options = {
services.toxvpn = {
enable = mkEnableOption "enable toxvpn running on startup";
localip = mkOption {
type = types.string;
default = "10.123.123.1";
description = "your ip on the vpn";
};
port = mkOption {
type = types.int;
default = 33445;
description = "udp port for toxcore, port-forward to help with connectivity if you run many nodes behind one NAT";
};
};
};
config = mkIf config.services.toxvpn.enable {
systemd.services.toxvpn = {
description = "toxvpn daemon";
requires = [ "network-online.target" ]; # consider replacing by NetworkManager-wait-online.service
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p /run/toxvpn || true
chown toxvpn /run/toxvpn
'';
serviceConfig = {
ExecStart = "${pkgs.toxvpn}/bin/toxvpn -i ${config.services.toxvpn.localip} -l /run/toxvpn/control -u toxvpn -p ${toString config.services.toxvpn.port}";
KillMode = "process";
Restart = "on-success";
Type = "notify";
};
restartIfChanged = false; # Likely to be used for remote admin
};
users.extraUsers = {
toxvpn = {
uid = config.ids.uids.toxvpn;
home = "/var/lib/toxvpn";
createHome = true;
};
};
};
}

2
nixos/modules/services/networking/unbound.nix
View file

@ -106,8 +106,10 @@ in
preStart = ''
mkdir -m 0755 -p ${stateDir}/dev/
cp ${confFile} ${stateDir}/unbound.conf
${optionalString cfg.enableRootTrustAnchor ''
${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile}
chown unbound ${stateDir} ${rootTrustAnchorFile}
''}
touch ${stateDir}/dev/random
${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random
'';

2
nixos/modules/services/security/fail2ban.nix
View file

@ -102,7 +102,7 @@ in
partOf = optional config.networking.firewall.enable "firewall.service";
restartTriggers = [ fail2banConf jailConf ];
path = [ pkgs.fail2ban pkgs.iptables ];
path = [ pkgs.fail2ban pkgs.iptables pkgs.iproute ];
preStart =
''

2
nixos/modules/services/system/dbus.nix
View file

@ -110,7 +110,7 @@ in
};
services.dbus.packages = [
pkgs.dbus
pkgs.dbus.out
config.system.path
];

32
nixos/modules/services/torrent/transmission.nix
View file

@ -113,22 +113,22 @@ in
#include <abstractions/base>
#include <abstractions/nameservice>
${pkgs.glibc.out}/lib/*.so mr,
${pkgs.libevent.out}/lib/libevent*.so* mr,
${pkgs.curl.out}/lib/libcurl*.so* mr,
${pkgs.openssl.out}/lib/libssl*.so* mr,
${pkgs.openssl.out}/lib/libcrypto*.so* mr,
${pkgs.zlib.out}/lib/libz*.so* mr,
${pkgs.libssh2.out}/lib/libssh2*.so* mr,
${pkgs.systemd}/lib/libsystemd*.so* mr,
${pkgs.xz.out}/lib/liblzma*.so* mr,
${pkgs.libgcrypt.out}/lib/libgcrypt*.so* mr,
${pkgs.libgpgerror.out}/lib/libgpg-error*.so* mr,
${pkgs.nghttp2.lib}/lib/libnghttp2*.so* mr,
${pkgs.c-ares.out}/lib/libcares*.so* mr,
${pkgs.libcap.lib}/lib/libcap*.so* mr,
${pkgs.attr.out}/lib/libattr*.so* mr,
${pkgs.lz4}/lib/liblz4*.so* mr,
${getLib pkgs.glibc}/lib/*.so mr,
${getLib pkgs.libevent}/lib/libevent*.so* mr,
${getLib pkgs.curl}/lib/libcurl*.so* mr,
${getLib pkgs.openssl}/lib/libssl*.so* mr,
${getLib pkgs.openssl}/lib/libcrypto*.so* mr,
${getLib pkgs.zlib}/lib/libz*.so* mr,
${getLib pkgs.libssh2}/lib/libssh2*.so* mr,
${getLib pkgs.systemd}/lib/libsystemd*.so* mr,
${getLib pkgs.xz}/lib/liblzma*.so* mr,
${getLib pkgs.libgcrypt}/lib/libgcrypt*.so* mr,
${getLib pkgs.libgpgerror}/lib/libgpg-error*.so* mr,
${getLib pkgs.nghttp2}/lib/libnghttp2*.so* mr,
${getLib pkgs.c-ares}/lib/libcares*.so* mr,
${getLib pkgs.libcap}/lib/libcap*.so* mr,
${getLib pkgs.attr}/lib/libattr*.so* mr,
${getLib pkgs.lz4}/lib/liblz4*.so* mr,
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/vm/overcommit_memory r,

2
nixos/modules/services/web-servers/apache-httpd/mediawiki.nix
View file

@ -43,7 +43,7 @@ let
# Paths to external programs.
$wgDiff3 = "${pkgs.diffutils}/bin/diff3";
$wgDiff = "${pkgs.diffutils}/bin/diff";
$wgImageMagickConvertCommand = "${pkgs.imagemagick}/bin/convert";
$wgImageMagickConvertCommand = "${pkgs.imagemagick.out}/bin/convert";
#$wgDebugLogFile = "/tmp/mediawiki_debug_log.txt";

2
nixos/modules/services/x11/desktop-managers/gnome3.nix
View file

@ -44,7 +44,7 @@ let
${cfg.extraGSettingsOverrides}
EOF
${pkgs.glib}/bin/glib-compile-schemas $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/
${pkgs.glib.dev}/bin/glib-compile-schemas $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/
'';
};

20
nixos/modules/services/x11/display-managers/default.nix
View file

@ -32,6 +32,12 @@ let
''
#! ${pkgs.bash}/bin/bash
${optionalString cfg.displayManager.logToJournal ''
if [ -z "$_DID_SYSTEMD_CAT" ]; then
_DID_SYSTEMD_CAT=1 exec ${config.systemd.package}/bin/systemd-cat -t xsession -- "$0" "$1"
fi
''}
. /etc/profile
cd "$HOME"
@ -39,7 +45,7 @@ let
sessionType="$1"
if [ "$sessionType" = default ]; then sessionType=""; fi
${optionalString (!cfg.displayManager.job.logsXsession) ''
${optionalString (!cfg.displayManager.job.logsXsession && !cfg.displayManager.logToJournal) ''
exec > ~/.xsession-errors 2>&1
''}
@ -83,6 +89,8 @@ let
# .local/share doesn't exist yet.
mkdir -p $HOME/.local/share
unset _DID_SYSTEMD_CAT
${cfg.displayManager.sessionCommands}
# Allow the user to execute commands at the beginning of the X session.
@ -278,6 +286,16 @@ in
};
logToJournal = mkOption {
type = types.bool;
default = true;
description = ''
By default, the stdout/stderr of sessions is written
to <filename>~/.xsession-errors</filename>. When this option
is enabled, it will instead be written to the journal.
'';
};
};
};

2
nixos/modules/services/x11/display-managers/kdm.nix
View file

@ -139,7 +139,7 @@ in
mkdir -m 0755 -p /var/lib/kdm
chown kdm /var/lib/kdm
${(optionalString (config.system.boot.loader.id == "grub" && config.system.build.grub != null) "PATH=${config.system.build.grub}/sbin:$PATH ") +
"KDEDIRS=/run/current-system/sw exec ${kdebase_workspace}/bin/kdm -config ${kdmrc} -nodaemon"}
"KDEDIRS=/run/current-system/sw exec ${kdebase_workspace}/bin/kdm -config ${kdmrc} -nodaemon -logfile /dev/stderr"}
'';
logsXsession = true;
};

4
nixos/modules/services/x11/hardware/synaptics.nix
View file

@ -169,10 +169,10 @@ in {
config = mkIf cfg.enable {
services.xserver.modules = [ pkg ];
services.xserver.modules = [ pkg.out ];
environment.etc."${etcFile}".source =
"${pkg}/share/X11/xorg.conf.d/50-synaptics.conf";
"${pkg.out}/share/X11/xorg.conf.d/50-synaptics.conf";
environment.systemPackages = [ pkg ];

5
nixos/modules/services/x11/xserver.nix
View file

@ -16,6 +16,7 @@ let
virtualbox = { modules = [ kernelPackages.virtualboxGuestAdditions ]; driverName = "vboxvideo"; };
ati = { modules = with pkgs.xorg; [ xf86videoati glamoregl ]; };
intel = { modules = with pkgs.xorg; [ xf86videointel glamoregl ]; };
modesetting = { modules = []; };
};
fontsForXServer =
@ -519,6 +520,7 @@ in
serviceConfig = {
Restart = "always";
RestartSec = "200ms";
SyslogIdentifier = "display-manager";
};
};
@ -526,10 +528,11 @@ in
[ "-terminate"
"-config ${configFile}"
"-xkbdir" "${cfg.xkbDir}"
# Log at the default verbosity level to stderr rather than /var/log/X.*.log.
"-verbose" "3" "-logfile" "/dev/null"
] ++ optional (cfg.display != null) ":${toString cfg.display}"
++ optional (cfg.tty != null) "vt${toString cfg.tty}"
++ optional (cfg.dpi != null) "-dpi ${toString cfg.dpi}"
++ optionals (cfg.display != null) [ "-logfile" "/var/log/X.${toString cfg.display}.log" ]
++ optional (!cfg.enableTCP) "-nolisten tcp";
services.xserver.modules =

4
nixos/modules/system/boot/initrd-ssh.nix
View file

@ -85,6 +85,10 @@ in
};
config = mkIf (config.boot.initrd.network.enable && cfg.enable) {
assertions = [ {
assertion = cfg.hostRSAKey != null || cfg.hostDSSKey != null || cfg.hostECDSAKey != null;
message = "You should specify at least one host key for initrd SSH";
} ];
boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear

11
nixos/modules/system/boot/loader/grub/grub.nix
View file

@ -48,12 +48,13 @@ let
bootPath = args.path;
storePath = config.boot.loader.grub.storePath;
bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId;
timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout;
inherit efiSysMountPoint;
inherit (args) devices;
inherit (efi) canTouchEfiVariables;
inherit (cfg)
version extraConfig extraPerEntryConfig extraEntries
extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout
extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels
default fsIdentifier efiSupport gfxmodeEfi gfxmodeBios;
path = (makeBinPath ([
pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs
@ -313,14 +314,6 @@ in
'';
};
timeout = mkOption {
default = if (config.boot.loader.timeout != null) then config.boot.loader.timeout else -1;
type = types.int;
description = ''
Timeout (in seconds) until GRUB boots the default menu item.
'';
};
default = mkOption {
default = 0;
type = types.int;

16
nixos/modules/system/boot/loader/gummiboot/gummiboot.nix
View file

@ -16,7 +16,7 @@ let
nix = config.nix.package.out;
timeout = if cfg.timeout != null then cfg.timeout else "";
timeout = if config.boot.loader.timeout != null then config.boot.loader.timeout else "";
inherit (efi) efiSysMountPoint canTouchEfiVariables;
};
@ -29,20 +29,6 @@ in {
description = "Whether to enable the gummiboot UEFI boot manager";
};
timeout = mkOption {
default = if config.boot.loader.timeout == null then 10000 else config.boot.loader.timeout;
example = 4;
type = types.nullOr types.int;
description = ''
Timeout (in seconds) for how long to show the menu (null if none).
Note that even with no timeout the menu can be forced if the space
key is pressed during bootup
'';
};
};
config = mkIf cfg.enable {

44
nixos/modules/system/boot/luksroot.nix
View file

@ -5,7 +5,7 @@ with lib;
let
luks = config.boot.initrd.luks;
openCommand = { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: ''
openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; ''
# Wait for luksRoot to appear, e.g. if on a usb drive.
# XXX: copied and adapted from stage-1-init.sh - should be
# available as a function.
@ -192,9 +192,8 @@ let
''}
'';
isPreLVM = f: f.preLVM;
preLVM = filter isPreLVM luks.devices;
postLVM = filter (f: !(isPreLVM f)) luks.devices;
preLVM = filterAttrs (n: v: v.preLVM) luks.devices;
postLVM = filterAttrs (n: v: !v.preLVM) luks.devices;
in
{
@ -228,31 +227,31 @@ in
};
boot.initrd.luks.devices = mkOption {
default = [ ];
example = literalExample ''[ { name = "luksroot"; device = "/dev/sda3"; preLVM = true; } ]'';
default = { };
example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; };
description = ''
The list of devices that should be decrypted using LUKS before trying to mount the
root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups.
The devices are decrypted to the device mapper names defined.
Make sure that initrd has the crypto modules needed for decryption.
The encrypted disk that should be opened before the root
filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM
setups are sypported. The unencrypted devices can be accessed as
<filename>/dev/mapper/<replaceable>name</replaceable></filename>.
'';
type = types.listOf types.optionSet;
type = types.loaOf types.optionSet;
options = {
options = { name, ... }: { options = {
name = mkOption {
visible = false;
default = name;
example = "luksroot";
type = types.str;
description = "Named to be used for the generated device in /dev/mapper.";
description = "Name of the unencrypted device in <filename>/dev/mapper</filename>.";
};
device = mkOption {
example = "/dev/sda2";
example = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08";
type = types.str;
description = "Path of the underlying block device.";
description = "Path of the underlying encrypted block device.";
};
header = mkOption {
@ -289,6 +288,7 @@ in
'';
};
# FIXME: get rid of this option.
preLVM = mkOption {
default = true;
type = types.bool;
@ -394,7 +394,7 @@ in
};
};
};
}; };
};
boot.initrd.luks.yubikeySupport = mkOption {
@ -408,7 +408,7 @@ in
};
};
config = mkIf (luks.devices != []) {
config = mkIf (luks.devices != {}) {
# actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks
@ -438,7 +438,7 @@ in
copy_bin_and_libs ${pkgs.ykpers}/bin/ykinfo
copy_bin_and_libs ${pkgs.openssl.bin}/bin/openssl
cc -O3 -I${pkgs.openssl}/include -L${pkgs.openssl.out}/lib ${./pbkdf2-sha512.c} -o pbkdf2-sha512 -lcrypto
cc -O3 -I${pkgs.openssl.dev}/include -L${pkgs.openssl.out}/lib ${./pbkdf2-sha512.c} -o pbkdf2-sha512 -lcrypto
strip -s pbkdf2-sha512
copy_bin_and_libs pbkdf2-sha512
@ -463,8 +463,8 @@ in
''}
'';
boot.initrd.preLVMCommands = concatMapStrings openCommand preLVM;
boot.initrd.postDeviceCommands = concatMapStrings openCommand postLVM;
boot.initrd.preLVMCommands = concatStrings (mapAttrsToList openCommand preLVM);
boot.initrd.postDeviceCommands = concatStrings (mapAttrsToList openCommand postLVM);
environment.systemPackages = [ pkgs.cryptsetup ];
};

7
nixos/modules/system/boot/systemd.nix
View file

@ -753,13 +753,6 @@ in
"TMPFS_XATTR" "SECCOMP"
];
environment.shellAliases =
{ start = "systemctl start";
stop = "systemctl stop";
restart = "systemctl restart";
status = "systemctl status";
};
users.extraGroups.systemd-journal.gid = config.ids.gids.systemd-journal;
users.extraUsers.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway;
users.extraGroups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway;

2
nixos/modules/tasks/cpu-freq.nix
View file

@ -38,7 +38,7 @@ in
description = "CPU Frequency Governor Setup";
after = [ "systemd-modules-load.service" ];
wantedBy = [ "multi-user.target" ];
path = [ cpupower ];
path = [ cpupower config.system.sbin.modprobe ];
unitConfig.ConditionVirtualization = false;
serviceConfig = {
Type = "oneshot";

10
nixos/modules/testing/test-instrumentation.nix
View file

@ -113,6 +113,16 @@ let kernel = config.boot.kernelPackages.kernel; in
# Make it easy to log in as root when running the test interactively.
users.extraUsers.root.initialHashedPassword = mkOverride 150 "";
services.xserver.displayManager.logToJournal = true;
# Bump kdm's X server start timeout to account for heavily loaded
# VM host systems.
services.xserver.displayManager.kdm.extraConfig =
''
[X-:*-Core]
ServerTimeout=240
'';
};
}

2
nixos/modules/virtualisation/amazon-image.nix
View file

@ -32,8 +32,8 @@ let cfg = config.ec2; in
# Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd.
boot.loader.grub.version = if cfg.hvm then 2 else 1;
boot.loader.grub.device = if cfg.hvm then "/dev/xvda" else "nodev";
boot.loader.grub.timeout = 0;
boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)";
boot.loader.timeout = 0;
boot.initrd.postDeviceCommands =
''

4
nixos/modules/virtualisation/azure-common.nix
View file

@ -10,10 +10,10 @@ with lib;
boot.kernelParams = [ "console=ttyS0" "earlyprintk=ttyS0" "rootdelay=300" "panic=1" "boot.panic_on_fail" ];
boot.initrd.kernelModules = [ "hv_vmbus" "hv_netvsc" "hv_utils" "hv_storvsc" ];
# Generate a GRUB menu.
# Generate a GRUB menu.
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.version = 2;
boot.loader.grub.timeout = 0;
boot.loader.timeout = 0;
# Don't put old configurations in the GRUB menu. The user has no
# way to select them anyway.

2
nixos/modules/virtualisation/brightbox-image.nix
View file

@ -94,7 +94,7 @@ in
# Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd.
boot.loader.grub.device = "/dev/vda";
boot.loader.grub.timeout = 0;
boot.loader.timeout = 0;
# Don't put old configurations in the GRUB menu. The user has no
# way to select them anyway.

6
nixos/modules/virtualisation/containers.nix
View file

@ -309,6 +309,10 @@ in
touch "$root/etc/os-release"
fi
if ! [ -e "$root/etc/machine-id" ]; then
touch "$root/etc/machine-id"
fi
mkdir -p -m 0755 \
"/nix/var/nix/profiles/per-container/$INSTANCE" \
"/nix/var/nix/gcroots/per-container/$INSTANCE"
@ -338,7 +342,7 @@ in
fi
''}
rm -f $root/var/lib/private/host-notify
# Run systemd-nspawn without startup notification (we'll
# wait for the container systemd to signal readiness).

2
nixos/modules/virtualisation/google-compute-image.nix
View file

@ -102,7 +102,7 @@ in
# Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd.
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.timeout = 0;
boot.loader.timeout = 0;
# Don't put old configurations in the GRUB menu. The user has no
# way to select them anyway.

2
nixos/modules/virtualisation/nova-image.nix
View file

@ -27,7 +27,7 @@ with lib;
boot.kernelParams = [ "console=ttyS0" ];
boot.loader.grub.device = "/dev/vda";
boot.loader.grub.timeout = 0;
boot.loader.timeout = 0;
# Allow root logins
services.openssh.enable = true;

2
nixos/modules/virtualisation/qemu-vm.nix
View file

@ -465,7 +465,7 @@ in
});
swapDevices = mkVMOverride [ ];
boot.initrd.luks.devices = mkVMOverride [];
boot.initrd.luks.devices = mkVMOverride {};
# Don't run ntpd in the guest. It should get the correct time from KVM.
services.ntp.enable = false;