Commit Graph

4012 Commits

Author SHA1 Message Date
Rickard Nilsson
68872f81cf openssh: Change the way authorized keys are added to the system.
Instead of the somewhat hacky script that inserted public keys
into the users' .ssh/authorized_keys files, use the AuthorizedKeysFile
configuration directive in sshd_config and generate extra key
files for each user (placed in /etc/authorized_keys.d/).
2012-12-11 17:02:39 +01:00
Eelco Dolstra
13617b803b Use the binary cache in the installer
Also remove "nixos-rebuild pull".
2012-12-08 19:00:06 +01:00
Eelco Dolstra
ef3199f782 Add options for specifying binary caches
Cherry-picked a4bcb26b1a.
2012-12-08 18:37:40 +01:00
Eelco Dolstra
2b4715d3ef Installer test: fix nix-push call
http://hydra.nixos.org/build/3331147
2012-12-08 18:33:00 +01:00
Evgeny Egorochkin
860cbf7890 scanner support: create scanner group. Users need to be in this group to access scanners. 2012-12-06 02:59:34 +02:00
Evgeny Egorochkin
15a15be2f6 dhcpcd: disable "require dhcp_server_identifier" because of so many non-compliant DHCP servers 2012-12-05 23:55:42 +02:00
Eelco Dolstra
7435db4f89 Get rid of the last uses of mkAlways
mkAlways is an insane function, mkMerge is much saner.
2012-11-30 15:07:39 +01:00
Eelco Dolstra
9eb81d2578 Renamed tcpWrapper -> tcp_wrappers 2012-11-29 15:16:30 +01:00
Lluís Batlle i Rossell
04963cf802 system-tarball-pc: fixing the readme inclusion 2012-11-29 11:29:15 +01:00
Lluís Batlle i Rossell
a9e5d1ab50 Changing the kernel parameters for crashump
I think that these enable more checks, and make more NMIs happen.
2012-11-29 11:27:33 +01:00
Peter Simons
6b6b245693 sane: update name of the snapshot version of the backends 2012-11-26 16:21:11 +01:00
Rob Vermaas
f0a6911929 Add ec2.metadata (default false) option whether to allow access to EC2 metadata API. 2012-11-21 12:19:38 -05:00
Peter Simons
0f15d75017 Merge pull request #29 from rickynils/shellaliases
Generate shell aliases programatically
2012-11-20 12:35:03 -08:00
Rickard Nilsson
eeab59fb87 Merge pull request #33 from rickynils/nslcd
Adds the option users.ldap.daemon which, handles NSS and PAM requests by talking to a local nslcd daemon instead of directly to the LDAP server.
2012-11-20 07:42:30 -08:00
Rickard Nilsson
6099451662 Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-11-20 16:39:45 +01:00
Rickard Nilsson
611ebeb1d0 Add nslcd (nss-pam-ldapd) uid and gid 2012-11-20 16:39:45 +01:00
Rickard Nilsson
a22c362155 Add option for specifying shell aliases, environment.shellAliases. 2012-11-20 16:33:29 +01:00
Peter Simons
3dda354610 Merge pull request #40 from falsifian/master
Change the default value of programs.ssh.forwardX11 to false.
2012-11-18 14:49:45 -08:00
James Cook
3afa5f86c1 Fixed the documentation for programs.ssh.forwardX11 to account for the X11 SECURITY extension. 2012-11-18 11:05:18 -08:00
James Cook
63dc873b85 Merge master. 2012-11-18 10:49:55 -08:00
Rickard Nilsson
02e0d7dbc3 dnsmasq: Add extraConfig option 2012-11-12 18:16:04 +01:00
Shea Levy
2f833bc88d Remove unnecessary toPath that breaks with recent nixUnstable 2012-11-08 13:04:20 -05:00
Eelco Dolstra
e078117c72 firewall.nix: Don't fail if IPv6 is disabled 2012-11-06 22:55:25 +01:00
aszlig
1c28b86749
pam: Douchebag commit, fix alphabetical order.
Yes, I'm going to get back to school and learn the alphabet. I promise!

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-11-05 09:41:24 +01:00
aszlig
6e6ee3278c
pam: Add default configuration for GNU screen.
This is needed in order to properly lock your screen using the C-a C-x
(lockscreen) command _and_ being back to re-login, because the "other" PAM
service/fallback is to deny authentication.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-11-05 09:40:15 +01:00
Lluís Batlle i Rossell
64540fb453 Adding quick instructions in system-tarball-pc to use it as chroot.
I also split the readme into a file apart.
2012-11-04 22:13:19 +01:00
Peter Simons
cd372c62ea modules/services/networking/ssh/sshd.nix: configure AddressFamily properly
Explicitly restrict sshd to use of IPv4 addresses if IPv6 support is not enabled.
2012-10-29 12:46:30 +01:00
Lluís Batlle i Rossell
82d39c9ca4 Fixing stage1 about getting a shell with job control in case of error
It's a busybox faq:
http://www.busybox.net/FAQ.html#job_control
2012-10-24 21:49:10 +02:00
Lluís Batlle i Rossell
c76fc27aff dnsmasq: Setting fixed order in DNS name resolution.
That fits better my setup; if anyone doesn't need this, we can write an option
for the fixed order queries.
2012-10-24 19:29:39 +02:00
Vladimír Čunát
a392468245 Merge pull request #39 from MarcWeber/fixes/ati-proprietary
making ati proprietary drivers work again
2012-10-24 02:59:38 -07:00
Peter Simons
ae1d564c1c Merge pull request #45 from jcumming/brokendns.121021
Add an option for putting options 'single-request' into /etc/resolv.conf
2012-10-23 10:39:30 -07:00
Jack Cummings
1cbad692c3 Add an option to add 'option=single-request' to /etc/resolv.conf. 2012-10-21 21:49:21 -07:00
Jack Cummings
d1bafd9e7f Merge remote-tracking branch 'upstream/master' 2012-10-19 22:12:25 -07:00
Peter Simons
7d58132c0a Merge pull request #36 from jcumming/hostapd
hostapd module
2012-10-18 03:21:31 -07:00
aszlig
da3eaf940b
Merge branch 'apache-httpd-2.4-support'.
This adds support for Apache HTTP server version 2.4 through conditionals, where
the changes are:

 * Use "Require" instead of Order/Deny/Allow.
 * Set DefaultRuntimeDir to a directory within stateDir.
 * Create DefaultRuntimeDir within Upstart job.
 * Don't add NameVirtualHost directives.
 * Use mod_authn_core instead of mod_authn_alias.
 * Add mod_unixd to support User/Group directives.
 * Load the MPM module specified by multiProcessingModule at runtime.
2012-10-17 22:58:40 +02:00
aszlig
f9831a94c9
apache-httpd: Simplify all versionOlder calls.
We now just have a simple attribute called "version24" which replaces all those
pesky versionOlder that were spreading throughout the file and makes things way
more readable.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 17:47:30 +02:00
aszlig
919e6e55a9
apache-httpd: Create runtime dir for version 2.4.
By default the path is determined related to ServerRoot. Unfortunately
ServerRoot is pointing to the Nix store and the web server can't write to it.

We now create a directory called "runtime" withen the stateDir and point
DefaultRuntimeDir to it.

For more information on the DefaultRuntimeDir directive, please see:

http://httpd.apache.org/docs/2.4/mod/core.html#defaultruntimedir

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 17:38:43 +02:00
aszlig
5655ec0efa
apache-httpd: Avoid NameVirtualHost in >= v2.4.
NameVirtualHost no longer has any effect on version 2.4 and just emits ugly
warnings, so let's not use it if we use 2.4.

More information: http://httpd.apache.org/docs/2.4/upgrading.html#misc

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 17:03:50 +02:00
aszlig
a88453fbaa
apache-httpd: Properly wrap access directives.
The Order/Deny directives are deprecated in version 2.4, so we're going to
define two wrappers for allDenied and allGranted in order to properly generate
configurations for both version 2.2 and 2.4.

For more information an access control changes, see:

http://httpd.apache.org/docs/2.4/upgrading.html#access

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 16:57:18 +02:00
aszlig
3acd98b040
apache-httpd: Add unixd for 2.4, needed by "User".
Beginning with 2.4 mod_unixd is needed to supply Unix usernames and groups for
the web server. For details please have a look at:

http://httpd.apache.org/docs/2.4/upgrading.html#commonproblems

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 15:34:08 +02:00
aszlig
3ad8fac5a2
apache-httpd: Dynamically load MPM module in v2.4.
Now, MPMs can be loaded at runtime and it's no longer required to compile in one
of the MPM modules statically. So, if version is >= 2.4, load the MPM module
corresponding to the multiProcessingModule value of the service module.

For details, please see: http://httpd.apache.org/docs/2.4/mpm.html

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 15:17:48 +02:00
aszlig
18076e001a
apache-httpd: Use authn_core for version >= 2.3.
Beginning with version 2.3, the authn were refactored. As a result, authn_alias
is now part of the new module authn_core, so let's use authn_core instead of
authn_alias.

For details please see: http://httpd.apache.org/docs/2.4/upgrading.html#misc

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 15:11:53 +02:00
Peter Simons
56f90da276 modules/programs/bash: '/run/current-system/sw' is already a part of $NIX_PROFILES 2012-10-16 19:08:10 +02:00
Peter Simons
04a8642b4b modules/programs/bash: clean-up variables used in initialization of bash-completion 2012-10-16 18:41:45 +02:00
Peter Simons
efc104c4c8 modules/programs/bash: improve bash completion support
The new configuration.nix option 'environment.enableBashCompletion'
determines whether bash completion is automatically enabled system-wide
for all interactive shells or not. The default setting is 'off'.
2012-10-16 18:41:45 +02:00
Eelco Dolstra
8499d7555f Backward compatibility hack for ‘networking.nat.internalIPs’ 2012-10-16 11:28:30 -04:00
Eelco Dolstra
f4329320ab Forward compatibility with the systemd branch 2012-10-14 22:07:44 -04:00
Mathijs Kwik
97a3a99b40 firewall: options to select connection-tracking helpers
My main reason for adding this is the ability to turn off helpers
altogether. If you are not using any of the special protocols, keeping
them turned off is safest, and in case you do want to use them, it's
best to configure them through the new CT target for your network
topology. Perhaps some sane defaults for nixos can be examined in the
future.

This change has no impact if you don't touch the added options, so no
need to adapt.
2012-10-13 09:59:31 +02:00
Mathijs Kwik
6c62de6a31 firewall: option to enable the rpfilter netfilter module
This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which
only works for ipv4. Furthermore, it's nicer to handle this kind of
filtering in the firewall.

There are some more subtle differences, please see:
https://home.regit.org/netfilter-en/secure-use-of-helpers/

I chose to enable this by default (when the firewall is enabled) as
it's a good idea in general. Only people with advanced routing needs
might not want this, but I guess they don't use the nixos firewall
anyway and use a custom solution. Furthermore, the option only becomes
available in kernel 3.3+, so conservative nixos users that just stick
to the default kernel will not need to act now just yet.
2012-10-13 09:59:31 +02:00
James Cook
5181ca4a3f Change the default value of programs.ssh.forwardX11 to false.
Forwarding X11 to untrusted servers is extremely insecure; see for example
http://www.hackinglinuxexposed.com/articles/20040705.html
2012-10-09 23:21:45 -07:00