The default cache directory set by oh-my-zsh is $ohMyZsh/cache which
lives in the Nix store in our case. This causes issues with several
completion plugins provided by oh-my-zsh.
sg and newgrp only changes the current user session and should be
available to users even if the "users.mutableUsers" option is set.
These are common, useful commands.
chfn does modify the /etc/passwd GECOS field which is also controlled
by the option "users.users.<name?>.description", so it's less
appropriate to make it available when "users.mutableUsers" is set.
However, because CHFN_RESTRICT in login.defs is never set in current
NixOS the chfn functionality is never available to users anyway and
may as well have its SUID disabled, as only root is able to use it.
This is recommended in the chfn man page in this case.
To make the configuration of `yabar` more pleasant and easier to
validate, a NixOS module will be quite helpful.
An example config could look like this:
```
{
programs.yabar = {
enable = true;
bars.top.indicators.exec = "YA_DATE";
};
}
```
The module adds a user-controlled systemd service which runs `yabar` after
starting up X.
* bemenu: init at 2017-02-14
* velox: 2015-11-03 -> 2017-07-04
* orbment, velox: don't expose subprojects
the development of orbment and velox got stuck
their subprojects (bemenu, dmenu-wayland, st-wayland) don't work correctly outside of parent projects
so hide them to not confuse people
swc and wld libraries are unpopular and unlike wlc are not used by anything except velox
* pythonPackages.pydbus: init at 0.6.0
* way-cooler: 0.5.2 -> 0.6.2
* nixos/way-cooler: add module
* dconf module: use for wayland
non-invasive approach for #31293
see discussion at #32210
* sway: embed LD_LIBRARY_PATH for #32755
* way-cooler: switch from buildRustPackage to buildRustCrate #31150
As described in detail here: https://github.com/NixOS/nixpkgs/issues/32533
bash will load completion scripts in $p/share/bash-completion/completions/ on
startup instead of letting bash-completion do it's lazy loading. Bash startup
will then slow down (very noticeable when bash-completion is installed in a
profile).
This commit leaves loading of scripts in the hands of bash-completion,
improving startup time for everyone using `enableCompletion`.
fixes #32533
The bash module currently sets the `/etc/inputrc` unconditionally,
which prevents easy user override. This commit lowers the priority of
the setting to "option default" level, which allows a user to override
the value using either
environment.etc."inputrc".text = …
or
environment.etc."inputrc".source = …
Regression introduced by 520a43ced3.
Using XML tag characters for things that are not tags needs to be
properly indicated by an entity.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
`cfg.interactiveShellInit` is used by modules like
`programs.zsh.oh-my-zsh`. This means that all aliases defined in
`programs.zsh.shellAliases` might be overriden which is highly
unpredictable
Originially, `programs.zsh` sets default values for some
initialisation scripts.
Nix resolves the case of multiple values by concatenating them all.
It is however impossible to predict where the default script will be
inserted; but we never want the default value to override the
user-specified ones.
Now, it doesn't set default values; almost everything is hardcoded at
the begining of the file.
While systemd suggests using the pre-defined graphical-session user
target, I found that this interface is difficult to use. Additionally,
no other major distribution, even in their unstable versions, currently
use this mechanism.
The window or desktop manager is supposed to run in a systemd user service
which activates graphical-session.target and the user services that are
binding to this target. The issue is that we can't elegantly pass the
xsession environment to the window manager session, in particular
whereas the PassEnvironment option does work for DISPLAY, it for some
mysterious reason won't for PATH.
This commit implements a new graphical user target that works just like
default.target. Services which should be run in a graphical session just
need to declare wantedBy graphical.target. The graphical target will be
activated in the xsession before executing the window or display manager.
Fixes #17858.
SSH expects a new line at the end of known_hosts file.
Without a new line the next entry goes on the same line
as the last entry in known_hosts causing errors.
Right now the `programs.zsh.syntax-highlighting.highlighters` option
lacks appropriate validation which can cause confusing things when
mistyping a higlighter for zsh-syntax-highlighting.
* programs.zsh: factor zsh-syntax-highlighting out into its own module
* programs.zsh.syntax-highlighting: add `highlighters` option
* programs.zsh: document BC break introduced by moving zsh-syntax-completion into its own module
* programs.zsh: add enableOhMyZsh option to automate setup of oh-my-zsh in global zshrc
* programs.zsh: make oh-my-zsh plugins configurable
* programs.zsh: add ohMyZshCustom option
* programs.zsh: add ohMyZshTheme option
* programs.zsh: applying minor fixes to evaluate expressions properly
* programs.zsh: fix ordering of oh-my-zsh config and execution
* programs.zsh: move all oh-my-zsh params into its own scope named programs.zsh.oh-my-zsh
In order to use qt5ct (Qt5 Configuration Tool) to configure Qt5
settings (theme, font, icons, etc.) under DE/WM without Qt
integration, the environment variable QT_QPA_PLATFORMTHEME should be
set to "qt5ct".
It can be done automatically by this module, or by setting the
variable explicitly in the user or in the system configuration.
In the absence of XCURSOR_PATH, the function XcursorLibraryPath
in libXcursor will return a hardcoded value unsuitable for NixOS.
Some desktops as well as display managers in NixOS currently do
set XCURSOR_PATH, but there are combinations where neither does
(e.g. SDDM+XFCE), resulting in no cursor themes being available.
The new definition if XCURSOR_PATH is effectively the same as what
KDE's startkde currently does.
Fixes issue #21442.
To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:
programs.wireshark.enable = true;
The setuid wrapper is available for users in the 'wireshark' group.
Changes v1 -> v2:
- add "defaultText" to the programs.wireshark.package option (AFAIK,
that prevents the manual from being needlessly rebuilt when the
package changes)
The content of programs.zsh.interactiveShellInit was
inserted too soon in the generated zshrc
This caused some settings related to autocompletion to be ignored
The configuration { services.openssh.enable = true;
services.openssh.forwardX11 = false; } caused
programs.ssh.setXAuthLocation to be set to false, which was not the
intent. The intent is that programs.ssh.setXAuthLocation should be
automatically enabled if needed or if xauth is already available.
Every interactive zsh sources /etc/zshrc (see STARTUP/SHUTDOWN FILES in zshautll(1))
Therefor every interactive zsh process will respect the content of these variables.
Using `export` will also lead to child processes inheriting this value.
This leads to problems, if other interactive shells are spawned such as bash,
because they use an incomptabible history format (without timestamps).
There seems to be also cases, where the local HISTSIZE in ~/.zshrc is
not sourced but /etc/zshrc, which leads to history truncation in other shells.
Fixup regression introduced in commit 1bbcd91b2e
("spacefm: sudo and gksu fixes #15758 and license update").
A missing </filename> end tag caused this:
$ nixos-rebuild build
...
options-db.xml:4402: parser error : Opening and ending tag mismatch: filename line 4401 and para
</para><para><emphasis>Type:</emphasis> boolean</para><para><emphasis>Default:</
^
options-db.xml:4406: parser error : Opening and ending tag mismatch: filename line 4401 and listitem
</filename></member></simplelist></listitem></varlistentry><varliste
^
options-db.xml:4406: parser error : Opening and ending tag mismatch: para line 4401 and varlistentry
</filename></member></simplelist></listitem></varlistentry><varliste
^
options-db.xml:28430: parser error : Opening and ending tag mismatch: listitem line 4401 and variablelist
</filename></member></simplelist></listitem></varlistentry></variablelist
^
options-db.xml:28432: parser error : Premature end of data in tag varlistentry line 4401
For now, leave the old implementation under `man-old` attribute.
Small warning: I had a leftover ~/.nix-profile/man from an old package,
which caused man-db's man prefer it and ignore ~/.nix-profile/share/man.
The PATH->MANPATH code just selects the first match for each PATH item.
This basic module allows you to specify the tmux configuration.
As great as tmux is, some of the defaults are pretty awful, so having a
way to specify the config really helps.
This reverts commit e8e8164f34. I
misread the original commit as adding the "which" package, but it only
adds it to base.nix. So then the original motivation (making it work
in subshells) doesn't hold. Note that we already have some convenience
aliases that don't work in subshells either (such as "ll").
This reverts most of 89e983786a, as those references are sanitized now.
Fixes #10039, at least most of it.
The `sane` case wasn't fixed, as it calls a *function* in pkgs to get
the default value.
- Now `pkg.outputUnspecified = true` but this attribute is missing in
every output, so we can recognize whether the user chose or not.
If (s)he didn't choose, we put `pkg.bin or pkg.out or pkg` into
`systemPackages`.
- `outputsToLink` is replaced by `extraOutputsToLink`.
We add extra outputs *regardless* of whether the user chose anything.
It's mainly meant for outputs with docs and debug symbols.
- Note that as a result, some libraries will disappear from system path.
If we limit SSH_ASKPASS to interactive shells, users are unable to trigger
the ssh-passphrase dialog from their desktop environment autostart scripts.
Usecase: I call ssh-add during my desktop environment autostart and want to have
the passphrase dialog immediately after startup.
For this to work, SSH_ASKPASS needs to be propagated properly on
non-interactive shells.
- add missing types in module definitions
- add missing 'defaultText' in module definitions
- wrap example with 'literalExample' where necessary in module definitions
This reverts most of 89e983786a, as those references are sanitized now.
Fixes #10039, at least most of it.
The `sane` case wasn't fixed, as it calls a *function* in pkgs to get
the default value.
* Patched fish to load /etc/fish/config.fish if it exists (by default,
it only loads config relative to itself)
* Added fish-foreign-env package to parse the system environment
closes #5331
The idea that the interactive bash prompt isn't set in case of TERM=dumb
is intended to fix problems when other machines log remotely into a
NixOS installation via Tramp. A side-effect that change was, however,
that Emacs' shell-mode no longer had a correct prompt. I suppose the
presence of
INSIDE_EMACS=24.5.2,comint
is a sufficiently unique indication that the current interactive shell
is running inside of an Emacs and that the prompt can thus be configured
safely.
This reverts commit a8eb2a6a81. OpenSSH
7.0 is causing too many interoperability problems so soon before the
15.08 release.
For instance, it causes NixOps EC2 initial deployments to fail with
"REMOTE HOST IDENTIFICATION HAS CHANGED". This is because the client
knows the server's ssh-dss host key, but this key is no longer
accepted by default. Setting "HostKeyAlgorithms" to "+ssh-dss" does
not work because it causes ssh-dss to be ordered after
"ecdsa-sha2-nistp521", which the server also offers. (Normally, ssh
prioritizes host key algorithms for which the client has a known host
key, but not if you set HostKeyAlgorithms.)
`man 1 info` says:
The first non-option argument, if present, is the menu entry to
start from; it is searched for in all `dir' files along INFOPATH.
If it is not present, info merges all `dir' files and shows the
result. Any remaining arguments are treated as the names of menu
items relative to the initial node visited.
Which means that this does what previous programs/info did and #8519
(on-the-fly infodir generation for Emacs) wanted to do, but for both
programs.
In 14f09e0, I've introduced the module under modules/programs, because
the legacy virtualbox.nix was also under that path. But because we
already have modules/virtualisation/virtualbox-guest.nix, it really
makes sense to put this module alongside of it as well.
This module thus has no change in functionality and I've tested
evaluation against nixos/tests/virtualbox.nix and the manual.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
My original reason to put it at the beginning of NIX_PATH was to allow
shipping a particular version <nixpkgs> with a channel. But in order to
do that, we can still let the channel expression ship with a custom
version of nixpkgs by something like <channel/nixpkgs> and the builder
of the channel could also rewrite self-references.
So the inconvenience is now shifted towards the maintainer of the
channel rather than the user (which isn't nice, but better err on the
side of the developer rather than on the user), because as @edolstra
pointed out: Having the channels of root at the beginning of NIX_PATH
could have unintended side-effects if there a channel called nixpkgs.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is very useful if you want to distribute channels (and thus
expressions as well) in a similar fashion to Debians APT sources (or
PPAs or whatnot).
So, for example if you have a channel with some additional functions
or packages, you simply add that channel with:
sudo nix-channel --add https://example.com/my-nifty-channel foo
And you can access that channel using <foo>, for example in your
configuration.nix:
{
imports = [ <foo/modules/shiny-little-module> ];
environment.systemPackages = with import <foo/pkgs> {}; [ bar blah ];
services.udev.extraRules = import <foo/lib/udev/mkrule.nix> {
kernel = "eth*";
attr.address = "00:1D:60:B9:6D:4F";
name = "my_fast_network_card";
};
}
Within nixpkgs, we shouldn't have <nixos> used anywhere anymore, so we
shouldn't get into conflicts.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
By making askPassword an option, desktop environment modules can
override the default x11_ssh_askpassword with their own equivalent for
better integration. For example, KDE 5 uses plasma5.ksshaskpass instead.
This was lost back in
ffedee6ed5. Getting this to work is
slightly tricky because ssh-agent runs as a user unit, and so doesn't
know the user's $DISPLAY.
This reverts commit 766207ca1d.
We need to solve the problem with `environment.profileRelativeEnvVars`.
The best workaround is to make profileRelativeEnvVars prepend paths.
This reverts commit 5d67b17901.
The issues have been resolved by ac603e208c.
Tested this with hostonlyifs and USB support with extension pack.
Conflicts:
nixos/modules/programs/virtualbox-host.nix
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Tested-by: Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>
IMHO, having a short timeout (1h) defeats the point of using
ssh-agent, which is not to have to retype passphrases all the time. Of
course, users who want timeouts can set programs.ssh.agentTimeout.
This restores the 14.04 behaviour.
Because we have to rely on setuid wrappers on NixOS, we can't easily
hardcode the executable paths and set it 4755. So for all calls, we need
to change the runtime path executable directory to /var/setuid-wrappers/
and for verification we need to retain the executable directory.
Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL
and VBoxVolInfo don't reside in directories that are commonly in PATH,
but in /usr/lib/virtualbox in most mainstream distros. But because the
names of these executables are distinctive enough to not cause
collisions with other setuid programs, I'll leave it like that and not
patch up setuid-wrappers.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The warning was displayed whenever services.virtualboxHost.enable was
true, but if people were to enable hardening, they'd still get that
annoying message.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Creates unnecessary cruft in the root users home directory, which we
really don't need. Except the log, but therefore we now cat the log to
stderr and the private temporary directory is cleaned up afterwards.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This should display a big fat warning that people can hardly miss until
we have fixed the issues with the host-only-interfaces that persist when
hardining is enabled.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Hardening mode in VirtualBox is quite restrictive and on some systems it
could make sense to disable hardening mode, especially while we still
have issues with hostonly networking and other issues[TM] we don't know
or haven't tested yet.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We only need to have setuid-root wrappers for VBox{Headless,SDL} and
VirtualBox, otherwise VBoxManage will run as root and NOT drop
privileges!
Fixes #5283.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The current nixos module for VirtualBox unconditionally configures a vboxnet0
network interface at boot. This may be undesired, especially when the user wants
to manage network interfaces in a centralized manner.
VirtualBox with hardening support requires the main binaries to be
setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are
pointing to the libexec directory and we also need to unset
VBOX_WITH_ORIGIN to make sure that the build system is actually setting
those RPATHs.
The hardened.patch implements two things:
* Set the binary directory to the setuid-wrappers dir so that
VboxSVC calls them instead of the binaries from the store path. The
reason behind this is because nothing in the Nix store can have the
setuid flag.
* Excempt /nix/store from the group permission check, because while it
is group-writeable indeed it also has the sticky bit set (and also
the whole store is mounted read-only on most NixOS systems), so we're
checking on that as well.
Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers
directly, so someone would ever want to change those on a NixOS system,
please provide a patch to set those paths on build time. However, for
simplicity, it's best to do it when we _really_ need it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We will simply rename the previous module and add a warning whenever the
module is included directly, pointing the user to the right option and
also enable it as well (in case somebody has missed the option and is
wondering why VirtualBox doesn't work anymore).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
NixOS has a pervasive dependency on bash. For instance, the X11
session script sources /etc/profile to get a reasonable
environment. Thus we should not provide an option to disable bash.
Also, enabling zsh no longer sets ‘users.defaultUserShell’ to zsh, to
prevent a collision with bash's definition of the same
option. (Changing the default shell is also something that should be
left to the user.)
This has some advantages:
* You get ssh-agent regardless of how you logged in. Previously it was
only started for X11 sessions.
* All sessions of a user share the same agent. So if you added a key
on tty1, it will also be available on tty2.
* Systemd will restart ssh-agent if it dies.
* $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is
more secure than /tmp.
For bonus points, we should patch ssh-agent to support socket-based
activation...
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
This is a rather large commit that switches user/group creation from using
useradd/groupadd on activation to just generating the contents of /etc/passwd
and /etc/group, and then on activation merging the generated files with the
files that exist in the system. This makes the user activation process much
cleaner, in my opinion.
The users.extraUsers.<user>.uid and users.extraGroups.<group>.gid must all be
properly defined (if <user>.createUser is true, which it is by default). My
pull request adds a lot of uids/gids to config.ids to solve this problem for
existing nixos services, but there might be configurations that break because
this change. However, this will be discovered during the build.
Option changes introduced by this commit:
* Remove the options <user>.isSystemUser and <user>.isAlias since
they don't make sense when generating /etc/passwd statically.
* Add <group>.members as a complement to <user>.extraGroups.
* Add <user>.passwordFile for setting a user's password from an encrypted
(shadow-style) file.
* Add users.mutableUsers which is true by default. This means you can keep
managing your users as previously, by using useradd/groupadd manually. This is
accomplished by merging the generated passwd/group file with the existing files
in /etc on system activation. The merging of the files is simplistic. It just
looks at the user/group names. If a user/group exists both on the system and
in the generated files, the system entry will be kept un-changed and the
generated entries will be ignored. The merging itself is performed with the
help of vipw/vigr to properly lock the account files during edit.
If mutableUsers is set to false, the generated passwd and group files will not
be merged with the system files on activation. Instead they will simply replace
the system files, and overwrite any changes done on the running system. The
same logic holds for user password, if the <user>.password or
<user>.passwordFile options are used. If mutableUsers is false, password will
simply be replaced on activation. If true, the initial user passwords will be
set according to the configuration, but existing passwords will not be touched.
I have tested this on a couple of different systems and it seems to work fine
so far. If you think this is a good idea, please test it. This way of adding
local users has been discussed in issue #103 (and this commit solves that
issue).
(systemd service descriptions that is, not service descriptions in "man
configuration.nix".)
Capitalizing each word in the description seems to be the accepted
standard.
Also shorten these descriptions:
* "Munin node, the agent process" => "Munin Node"
* "Planet Venus, an awesome ‘river of news’ feed reader" => "Planet Venus Feed Reader"
That is, you can say
security.pam.services.sshd = { options... };
instead of
security.pam.services = [ { name = "sshd"; options... } ];
making it easier to override PAM settings from other modules.