Commit Graph

64 Commits

Author SHA1 Message Date
Eelco Dolstra
ae4e94d9ac Rename ‘boot.systemd’ to ‘systemd’
Suggested by Mathijs Kwik.  ‘boot.systemd’ is a misnomer because
systemd affects more than just booting.  And it saves some typing.
2013-01-16 12:33:18 +01:00
Eelco Dolstra
96ba0ca283 For some units, use "systemctl restart" rather than "systemctl stop/start"
During a configuration switch, changed units are stopped in the old
configuration, then started in the new configuration (i.e. after
running the activation script and running "systemctl daemon-reload").
This ensures that services are stopped using the ExecStop/ExecStopPost
commands from the old configuration.

However, for some services it's undesirable to stop them; in
particular dhcpcd, which deconfigures its network interfaces when it
stops.  This is dangerous when doing remote upgrades - usually things
go right (especially because the switch script ignores SIGHUP), but
not always (see 9aa69885f04969e5d31dcb8265c327adc908954e).  Likewise,
sshd should be kept running for as long as possible to prevent a
lock-out if the switch fails.

So the new option ‘stopIfChanged = false’ causes "systemctl restart"
to be used instead of "systemctl stop" followed by "systemctl start".
This is only proper for services that don't have stop commands.  (And
it might not handle dependencies properly in some cases, but I'm not
sure.)
2013-01-05 01:05:25 +01:00
Eelco Dolstra
97ae408e83 Merge remote-tracking branch 'origin/master' into systemd 2012-12-11 17:40:39 +01:00
Eelco Dolstra
78bd54ca80 Allow setting additional AuthorizedKeysFiles
Charon needs this to include the dynamically generated
/root/.vbox-charon-client-key.  (We used
users.extraUsers.root.openssh.authorizedKeys.keyFiles for this, but
that no longer works.)
2012-12-11 17:29:34 +01:00
Eelco Dolstra
eda051cff5 Remove abuse of "with" 2012-12-11 17:14:52 +01:00
Rickard Nilsson
68872f81cf openssh: Change the way authorized keys are added to the system.
Instead of the somewhat hacky script that inserted public keys
into the users' .ssh/authorized_keys files, use the AuthorizedKeysFile
configuration directive in sshd_config and generate extra key
files for each user (placed in /etc/authorized_keys.d/).
2012-12-11 17:02:39 +01:00
Peter Simons
cd372c62ea modules/services/networking/ssh/sshd.nix: configure AddressFamily properly
Explicitly restrict sshd to use of IPv4 addresses if IPv6 support is not enabled.
2012-10-29 12:46:30 +01:00
Peter Simons
b43e219aeb modules/services/networking/ssh/sshd.nix: configure AddressFamily properly
Explicitly restrict sshd to use of IPv4 addresses if IPv6 support is not enabled.
2012-10-24 19:01:38 +02:00
Eelco Dolstra
224c825a36 Add option ‘users.motd’ for setting a message of the day shown on login
Note that this uses pam_motd.
2012-10-23 09:10:48 -04:00
Eelco Dolstra
a5969634f4 sshd: Do detach into the background
This is necessary to ensure that jobs that need to start after sshd
work properly.

This reverts 03f13a49392b90cdc54d8ff057cef76bf0379913.
2012-10-04 23:38:27 -04:00
Eelco Dolstra
891be375b5 Make unitConfig/serviceConfig attribute sets
So instead of:

  boot.systemd.services."foo".serviceConfig =
    ''
      StartLimitInterval=10
      CPUShare=500
    '';

you can say:

  boot.systemd.services."foo".serviceConfig.StartLimitInterval = 10;
  boot.systemd.services."foo".serviceConfig.CPUShare = 500;

This way all unit options are available and users can set/override
options in configuration.nix.
2012-10-01 16:27:42 -04:00
Peter Simons
03f13a4939 Tell sshd not to detach into the background.
This makes it easier for systemd to track it and avoids race conditions such as
this one:

  systemd[1]: PID file /run/sshd.pid not readable (yet?) after start.
  systemd[1]: Failed to start SSH Daemon.
  systemd[1]: Unit sshd.service entered failed state.
  systemd[1]: sshd.service holdoff time over, scheduling restart.
  systemd[1]: Stopping SSH Daemon...
  systemd[1]: Starting SSH Daemon...
  sshd[2315]: Server listening on 0.0.0.0 port 22.
  sshd[2315]: Server listening on :: port 22.
  sshd[2335]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
  sshd[2335]: error: Bind to port 22 on :: failed: Address already in use.
  sshd[2335]: fatal: Cannot bind any address.
  systemd[1]: Started SSH Daemon.
2012-09-28 17:38:24 +02:00
Eelco Dolstra
b02c488fde Automatically append ".service" to the name of service units 2012-08-23 10:25:27 -04:00
Eelco Dolstra
490ce3a230 PAM: Rename ownDevices to startSession
Logind sessions are more generally useful than for device ownership.
For instances, ssh logins can be put in their own session (and thus
their own cgroup).
2012-08-17 13:48:22 -04:00
Eelco Dolstra
b91aa1599c sshd.nix: Disable password logins for root by default 2012-08-17 13:32:23 -04:00
Eelco Dolstra
ae62436697 Random changes 2012-07-19 17:33:22 -04:00
Eelco Dolstra
44d091674b Merge branch 'master' of github.com:NixOS/nixos into systemd
Conflicts:
	modules/config/networking.nix
	modules/services/networking/ssh/sshd.nix
	modules/services/ttys/agetty.nix
	modules/system/boot/stage-2-init.sh
	modules/system/upstart-events/shutdown.nix
2012-07-16 17:27:11 -04:00
Eelco Dolstra
73532c3855 Global replace /var/run/current-system -> /run/current-system 2012-07-16 11:34:21 -04:00
Eelco Dolstra
57d74e6f4f openssh.authorizedKeys.keyFiles: allow multiple keys
Ugly hack to get around the error "a string that refers to a store
path cannot be appended to a path".  The underlying problem is that
you cannot do

  "${./file1} ${./file2}"

but you can do

  " ${./file1} ${./file2}"

Obviously we should allow the first case as well.
2012-07-13 17:59:03 -04:00
Eelco Dolstra
7e77dae458 sshd.nix: Create ~/.ssh/authorized_keys with the right ownership 2012-07-13 11:48:47 -04:00
Eelco Dolstra
352510c208 Add an option ‘boot.systemd.services’
This option makes it more convenient to define services because it
automates stuff like setting $PATH, having a pre-start script, and so on.
2012-06-18 15:28:31 -04:00
Eelco Dolstra
42ee3b4209 Add a ‘wantedBy’ attribute to unit definitions
This attribute allows a unit to make itself a dependency of another unit.

Also, add an option to set the default target unit.
2012-06-17 23:31:21 -04:00
Eelco Dolstra
4a95f8996b To ease migration to systemd, generate units from the ‘jobs’ option
Also get rid of the ‘buildHook’ job option because it wasn't very useful.
2012-06-16 00:19:43 -04:00
Eelco Dolstra
a46894b960 Get lots more systemd stuff working
Enabled a bunch of units that ship with systemd.  Also added an option
‘boot.systemd.units’ that can be used to define additional units
(e.g. ‘sshd.service’).
2012-06-14 18:44:56 -04:00
Rickard Nilsson
35f9502a27 Added option for specifying the path to the private key file sshd should use.
svn path=/nixos/trunk/; revision=34039
2012-05-09 22:13:53 +00:00
Rickard Nilsson
658ea20e7f Added option for specifying system-wide known hosts file for OpenSSH.
svn path=/nixos/trunk/; revision=34038
2012-05-09 22:11:07 +00:00
Peter Simons
86ba0c52b3 modules/services/networking/ssh/sshd.nix: stripped trailing whitespace
svn path=/nixos/trunk/; revision=33926
2012-04-26 08:13:24 +00:00
Peter Simons
ee2fcb645b modules/services/networking/ssh/sshd.nix: don't write debug output to /tmp/log
svn path=/nixos/trunk/; revision=33925
2012-04-26 08:13:21 +00:00
Eelco Dolstra
e6fd0fa893 * Cleanup.
svn path=/nixos/trunk/; revision=33921
2012-04-25 15:44:47 +00:00
Eelco Dolstra
43215ff80f * In the implementation of the ‘authorizedKeys’, don't delete all
lines below a certain marker.  This is undesirable because commands
  like "ssh-copy-id" add keys to the end of the file.  Instead mark
  all automatically added lines individually.

svn path=/nixos/trunk/; revision=33918
2012-04-25 14:14:20 +00:00
Mathijs Kwik
a1e86494d0 made challenge-response authentication method configurable for openssh
challenge-response is an authentication method that does not need the
plain text password to be emitted over the (encrypted) connection.
This is nice if you don't fully trust the server.

It is enabled (upstream) by default.

To the end user, it still looks like normal password authentication,
but instead of sending it, it is used to hash some challenge.

This means that if you don't want passwords to be used ever at all,
and just stick to public key authentication, you probably want to
disable this option too.

svn path=/nixos/trunk/; revision=33513
2012-04-01 10:54:17 +00:00
Mathijs Kwik
de5b437004 assertions '.msg' doesn't exist => .message
svn path=/nixos/trunk/; revision=33508
2012-04-01 10:54:06 +00:00
Mathijs Kwik
f31fefdfd9 splitted ssh/sshd X11 forwarding logic. Backward compatible change.
You can now set the forwardX11 config option for the ssh client and server separately.

For server, the option means "allow clients to request X11 forwarding".
For client, the option means "request X11 forwarding by default on all connections".

I don't think it made sense to couple them. I might not even run the server on some machines.
Also, I ssh to a lot of machines, and rarely want X11 forwarding. The times I want it,
I use the -X/-Y option, or set it in my ~/.ssh/config.

I also decoupled the 'XAuthLocation' logic from forwardX11.
For my case where ssh client doesn't want forwarding by default, it still wants to set the path for the cases I do need it.

As this flag is the one that pulls in X11 dependencies, I changed the minimal profile and the no-x-libs config to check that instead now.

svn path=/nixos/trunk/; revision=33407
2012-03-25 15:42:05 +00:00
Eelco Dolstra
acea54b3c6 * In the users...keyFiles option, the "string" type doesn't work very
well because elements could be paths, e.g.

    users.extraUsers.root.openssh.authorizedKeys.keyFiles =
      [ ./id_key.pub ];

  So disable the type check for now.

svn path=/nixos/trunk/; revision=32558
2012-02-25 17:31:39 +00:00
Peter Simons
90adc800c5 sshd: choose host key type
svn path=/nixos/trunk/; revision=32479
2012-02-22 20:28:54 +00:00
Nicolas Pierron
e264d1ab79 Convert users.extraUsers to an option set and add support for openssh
authorized_keys file generation.

svn path=/nixos/trunk/; revision=30611
2011-11-29 06:08:55 +00:00
Peter Simons
20b364f4de Reverting revisions 30103-30106: "always set nixpkgs.config.{state,store}Dir", etc.
After the change from revision 30103, nixos-rebuild suddenly consumed
freaky amounts of memory. I had to abort the process after it had
allocated well in excess of 30GB(!) of RAM. I'm not sure what is causing
this behavior, but undoing that assignment fixes the problem. The other
two commits needed to be revoked, too, because they depend on 30103.

svn path=/nixos/trunk/; revision=30127
2011-10-30 15:19:58 +00:00
Shea Levy
09cf6ce70c find modules | fgrep .nix | fgrep -v .svn | fgrep -v nixpkgs.nix | xargs sed -i -e 's|/nix/var|${config.nixpkgs.config.nix.stateDir}|g' -e 's|/nix/store|${config.nixpkgs.config.nix.storeDir}|g'
Don't assume /nix/store or /nix/var in NixOS modules, this is configurable

svn path=/nixos/trunk/; revision=30104
2011-10-29 21:03:57 +00:00
Peter Simons
eb6e1310b8 strip trailing whitespace; no functional change
svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
Peter Simons
0ffb794d5d modules/services/networking/ssh/sshd.nix: strip trailing whitespace
svn path=/nixos/trunk/; revision=27733
2011-07-12 10:34:30 +00:00
Peter Simons
ea84edd528 modules/services/networking/ssh/sshd.nix: added new boolean options usePAM and passwordAuthentication
Setting both of these options to 'false' configures the OpenSSH daemon to
reject password authentication, i.e. users must have an appropriate key in
~/.ssh/authorized_keys in order to be able to log in.

svn path=/nixos/trunk/; revision=27732
2011-07-12 10:34:27 +00:00
Ludovic Courtès
7edc419f65 lshd: Streamline first use.
svn path=/nixos/trunk/; revision=25716
2011-01-29 23:06:52 +00:00
Eelco Dolstra
2bb4a618e2 * Added an option "services.openssh.extraConfig" that allows
setting arbitrary options in sshd_config, e.g.,

    services.openssh.extraConfig = "PermitTunnel yes";

svn path=/nixos/trunk/; revision=24341
2010-10-18 10:31:41 +00:00
Lluís Batlle i Rossell
4ee2a8a29a Fixing the UTF-8 in openssh sshd (passing to it the LOCALE_ARCHIVE - that
requieres a patch in openssh that I just commited to nixpkgs)

Before this, in the shell spawned, backspace could not work over UTF-8 strings in the readline.


svn path=/nixos/trunk/; revision=21679
2010-05-09 12:45:57 +00:00
Eelco Dolstra
176f6c52dd * Change the name of the SSH privilege separation user account back to
"sshd" because changing it to "opensshd" causes breakage (like the
  activation script saying "useradd: UID 2 is not unique.").  Also,
  OpenSSH requires it to be named "sshd", I think.

svn path=/nixos/trunk/; revision=20577
2010-03-11 18:07:20 +00:00
Ludovic Courtès
8e16742b79 Update users of `services.sshd'.
svn path=/nixos/trunk/; revision=20575
2010-03-11 17:02:53 +00:00
Ludovic Courtès
d1b4b7fd28 Rename services.sshd' to services.openssh'.
svn path=/nixos/trunk/; revision=20574
2010-03-11 17:02:49 +00:00
Eelco Dolstra
051e9342b3 * Use the moduli file. This shuts up the "WARNING: /etc/ssh/moduli
does not exist, using fixed modulus" message in /var/log/messages.

svn path=/nixos/trunk/; revision=19754
2010-02-01 17:05:02 +00:00
Marc Weber
4d7e344f69 Adding initial version of the nixos cd insallation test script using
qemu_kvm. Installation doesn't take place yet. VM is started
printing a remote controlled "Hello".

This serves as example how to run a vm within a bulid job.

svn path=/nixos/trunk/; revision=18887
2009-12-11 00:51:13 +00:00
Rob Vermaas
038180bab8 * sshd.nix: ports attribute, to allow listening to multiple ports
svn path=/nixos/trunk/; revision=18877
2009-12-10 14:45:41 +00:00