diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/configuration/network-manager.xml | 6 | ||||
| -rw-r--r-- | nixos/modules/config/nsswitch.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/config/update-users-groups.pl | 10 | ||||
| -rw-r--r-- | nixos/modules/programs/ssh.nix | 25 | ||||
| -rw-r--r-- | nixos/modules/security/pam.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/services/databases/mongodb.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/databases/redis.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/services/networking/consul.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/services/networking/dnsmasq.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/services/security/fail2ban.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/x11/display-managers/default.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/tasks/network-interfaces-systemd.nix | 5 |
13 files changed, 58 insertions, 25 deletions
diff --git a/nixos/doc/manual/configuration/network-manager.xml b/nixos/doc/manual/configuration/network-manager.xml index ceac40b7a1f66..b7e47b8729f32 100644 --- a/nixos/doc/manual/configuration/network-manager.xml +++ b/nixos/doc/manual/configuration/network-manager.xml @@ -10,7 +10,7 @@ use NetworkManager. You can enable NetworkManager by setting: <programlisting> -services.networkmanager.enable = true; +networking.networkmanager.enable = true; </programlisting> some desktop managers (e.g., GNOME) enable NetworkManager @@ -19,8 +19,8 @@ automatically for you.</para> <para>All users that should have permission to change network settings must belong to the <code>networkmanager</code> group.</para> -<note><para><code>services.networkmanager</code> and -<code>services.wireless</code> can not be enabled at the same time: +<note><para><code>networking.networkmanager</code> and +<code>networking.wireless</code> can not be enabled at the same time: you can still connect to the wireless networks using NetworkManager.</para></note> diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 549e731f3b08a..a39c2895bf84d 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -8,6 +8,7 @@ let inherit (config.services.avahi) nssmdns; inherit (config.services.samba) nsswins; + ldap = config.users.ldap.enable; in @@ -40,9 +41,9 @@ in # should define an option used by this module. environment.etc."nsswitch.conf".text = '' - passwd: files ldap - group: files ldap - shadow: files ldap + passwd: files ${optionalString ldap "ldap"} + group: files ${optionalString ldap "ldap"} + shadow: files ${optionalString ldap "ldap"} hosts: files ${optionalString nssmdns "mdns_minimal [NOTFOUND=return]"} dns ${optionalString nssmdns "mdns"} ${optionalString nsswins "wins"} myhostname mymachines networks: files dns ethers: files diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index d35ecb754bdb0..de73de91629b0 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -174,12 +174,12 @@ foreach my $u (@{$spec->{users}}) { } elsif (defined $u->{initialHashedPassword}) { $u->{hashedPassword} = $u->{initialHashedPassword}; } + } - # Create a home directory. - if ($u->{createHome}) { - make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home}; - chown $u->{uid}, $u->{gid}, $u->{home}; - } + # Create a home directory. + if ($u->{createHome} && ! -e $u->{home}) { + make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home}; + chown $u->{uid}, $u->{gid}, $u->{home}; } if (defined $u->{passwordFile}) { diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 796740ea636ac..bd9b897158dc1 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -4,8 +4,19 @@ with lib; -let cfg = config.programs.ssh; - cfgd = config.services.openssh; +let + + cfg = config.programs.ssh; + cfgd = config.services.openssh; + + askPassword = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"; + + askPasswordWrapper = pkgs.writeScript "ssh-askpass-wrapper" + '' + #! ${pkgs.stdenv.shell} -e + export DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^DISPLAY=\(.*\)/\1/; t; d')" + exec ${askPassword} + ''; in { @@ -117,6 +128,11 @@ in Restart = "on-failure"; SuccessExitStatus = "0 2"; }; + # Allow ssh-agent to ask for confirmation. This requires the + # unit to know about the user's $DISPLAY (via ‘systemctl + # import-environment’). + environment.SSH_ASKPASS = optionalString config.services.xserver.enable askPasswordWrapper; + environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS }; environment.extraInit = optionalString cfg.startAgent @@ -126,5 +142,10 @@ in fi ''; + environment.interactiveShellInit = optionalString config.services.xserver.enable + '' + export SSH_ASKPASS=${askPassword} + ''; + }; } diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index dcb2d54947547..aa8d9224e35a8 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -215,7 +215,7 @@ let ${optionalString cfg.otpwAuth "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} ${optionalString cfg.oathAuth - "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so"} window=5 usersfile=/etc/users.oath + "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"} ${optionalString config.users.ldap.enable "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} ${optionalString config.krb5.enable '' @@ -252,7 +252,7 @@ let ${optionalString cfg.otpwAuth "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"} ${optionalString cfg.oathAuth - "session optional ${pkgs.oathToolkit}/lib/security/pam_oath.so"} window=5 usersfile=/etc/users.oath + "session optional ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"} ${optionalString cfg.startSession "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"} ${optionalString cfg.forwardXAuth diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix index 02e44ad887049..14ffdad9217d2 100644 --- a/nixos/modules/services/databases/mongodb.nix +++ b/nixos/modules/services/databases/mongodb.nix @@ -120,6 +120,7 @@ in }; preStart = '' + rm ${cfg.dbpath}/mongod.lock || true if ! test -e ${cfg.dbpath}; then install -d -m0700 -o ${cfg.user} ${cfg.dbpath} fi diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index b91c389e90a2d..f2612d0b43b94 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -201,7 +201,7 @@ in environment.systemPackages = [ cfg.package ]; systemd.services.redis_init = - { description = "Redis server initialisation"; + { description = "Redis Server Initialisation"; wantedBy = [ "redis.service" ]; before = [ "redis.service" ]; @@ -216,7 +216,7 @@ in }; systemd.services.redis = - { description = "Redis server"; + { description = "Redis Server"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index 3ae010e810704..5308fd9950855 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -178,7 +178,7 @@ in ExecReload = "${pkgs.consul}/bin/consul reload"; PermissionsStartOnly = true; User = if cfg.dropPrivileges then "consul" else null; - TimeoutStartSec = "${toString (20 + (3 * cfg.joinRetries))}s"; + TimeoutStartSec = "0"; } // (optionalAttrs (cfg.leaveOnStop) { ExecStop = "${pkgs.consul}/bin/consul leave"; }); @@ -209,13 +209,14 @@ in echo "$ADDR" } echo "{" > /etc/consul-addrs.json + delim=" " '' + concatStrings (flip mapAttrsToList cfg.interface (name: i: optionalString (i != null) '' - echo " \"${name}_addr\": \"$(getAddr "${i}")\"," >> /etc/consul-addrs.json + echo "$delim \"${name}_addr\": \"$(getAddr "${i}")\"" >> /etc/consul-addrs.json + delim="," '')) + '' - echo " \"\": \"\"" >> /etc/consul-addrs.json echo "}" >> /etc/consul-addrs.json ''; postStart = '' diff --git a/nixos/modules/services/networking/dnsmasq.nix b/nixos/modules/services/networking/dnsmasq.nix index fbb211911f1ce..7ddabf73106e0 100644 --- a/nixos/modules/services/networking/dnsmasq.nix +++ b/nixos/modules/services/networking/dnsmasq.nix @@ -82,7 +82,7 @@ in systemd.services.dnsmasq = { description = "dnsmasq daemon"; - after = [ "network.target" "systemd-resolved.conf" ]; + after = [ "network.target" "systemd-resolved.service" ]; wantedBy = [ "multi-user.target" ]; path = [ dnsmasq ]; preStart = '' diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index c0ad9e17c4130..a7617d02c185e 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -195,12 +195,14 @@ in default = [ { path = "/etc/ssh/ssh_host_dsa_key"; type = "dsa"; - bits = 1024; } { path = "/etc/ssh/ssh_host_ecdsa_key"; type = "ecdsa"; bits = 521; } + { path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } ]; description = '' NixOS can automatically generate SSH host keys. This option @@ -323,7 +325,7 @@ in ${flip concatMapStrings cfg.hostKeys (k: '' if ! [ -f "${k.path}" ]; then - ssh-keygen -t "${k.type}" -b "${toString k.bits}" -f "${k.path}" -N "" + ssh-keygen -t "${k.type}" ${if k ? bits then "-b ${toString k.bits}" else ""} -f "${k.path}" -N "" fi '')} ''; diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index c40f41e07d4fc..6288b1b3ba863 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -95,7 +95,7 @@ in environment.etc."fail2ban/filter.d".source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf"; systemd.services.fail2ban = - { description = "Fail2ban intrusion prevention system"; + { description = "Fail2ban Intrusion Prevention System"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 601971d27b69f..ea45dabd12573 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -89,6 +89,10 @@ let ${config.hardware.pulseaudio.package}/bin/pactl load-module module-device-manager "do_routing=1" ''} + # Tell systemd about our $DISPLAY. This is needed by the + # ssh-agent unit. + ${config.systemd.package}/bin/systemctl --user import-environment DISPLAY + # Load X defaults. ${xorg.xrdb}/bin/xrdb -merge ${xresourcesXft} if test -e ~/.Xresources; then diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 70158fc7252b0..8223c5a4941e5 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -35,7 +35,10 @@ in assertions = [ { assertion = cfg.defaultGatewayWindowSize == null; message = "networking.defaultGatewayWindowSize is not supported by networkd."; - } ]; + } ] ++ flip mapAttrsToList cfg.bridges (n: { rstp, ... }: { + assertion = !rstp; + message = "networking.bridges.${n}.rstp is not supported by networkd."; + }); systemd.services.dhcpcd.enable = mkDefault false; |