Loading nixos/doc/manual/release-notes/rl-2411.section.md +3 −0 Original line number Diff line number Diff line Loading @@ -406,6 +406,9 @@ * from `/var/log/private/gns3` to `/var/log/gns3` and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`). - The `sshd` module now doesn't include `%h/.ssh/authorized_keys` as `AuthorizedKeysFile` unless `services.openssh.authorizedKeysInHomedir` is set to `true` (the default is `false` for `stateVersion` 24.11 onwards). - Legacy package `stalwart-mail_0_6` was dropped, please note the [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md) before changing the package to `pkgs.stalwart-mail` in Loading nixos/modules/services/networking/ssh/sshd.nix +17 −4 Original line number Diff line number Diff line Loading @@ -108,6 +108,10 @@ let }; usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u: lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0 )); authKeysFiles = let mkAuthKeyFile = u: lib.nameValuePair "ssh/authorized_keys.d/${u.name}" { mode = "0444"; Loading @@ -116,9 +120,6 @@ let ${lib.concatMapStrings (f: lib.readFile f + "\n") u.openssh.authorizedKeys.keyFiles} ''; }; usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u: lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0 )); in lib.listToAttrs (map mkAuthKeyFile usersWithKeys); authPrincipalsFiles = let Loading Loading @@ -302,7 +303,8 @@ in authorizedKeysInHomedir = lib.mkOption { type = lib.types.bool; default = true; default = lib.versionOlder config.system.stateVersion "24.11"; defaultText = lib.literalMD "`false` unless [](#opt-system.stateVersion) is 24.05 or older"; description = '' Enables the use of the `~/.ssh/authorized_keys` file. Loading Loading @@ -544,6 +546,17 @@ in config = lib.mkIf cfg.enable { warnings = lib.optional (with cfg; lib.all lib.id [ # ~/.ssh/authorized_keys is ignored and no custom file locations were set (authorizedKeysFiles == [ "/etc/ssh/authorized_keys.d/%u" ]) # no command provides authorized keys (authorizedKeysCommand == "none") # no users have keys in declarative configuration (usersWithKeys == []) # no authentication methods other than public keys are configured ((settings.PasswordAuthentication == false && !package.withKerberos) || settings.AuthenticationMethods == [ "publickey" ]) ]) "services.openssh: no keys were set in `users.users.*.openssh.authorizedKeys` and `~/.ssh/authorized_keys` will be ignored"; users.users.sshd = { isSystemUser = true; Loading nixos/modules/virtualisation/virtualbox-guest.nix +53 −38 Original line number Diff line number Diff line # Module for VirtualBox guests. { config, lib, pkgs, ... }: { config, lib, pkgs, ... }: let cfg = config.virtualisation.virtualbox.guest; kernel = config.boot.kernelPackages; Loading Loading @@ -28,7 +33,20 @@ let in { imports = [ (lib.mkRenamedOptionModule [ "virtualisation" "virtualbox" "guest" "draganddrop" ] [ "virtualisation" "virtualbox" "guest" "dragAndDrop" ]) (lib.mkRenamedOptionModule [ "virtualisation" "virtualbox" "guest" "draganddrop" ] [ "virtualisation" "virtualbox" "guest" "dragAndDrop" ] ) ]; options.virtualisation.virtualbox.guest = { Loading Loading @@ -59,12 +77,15 @@ in ###### implementation config = lib.mkIf cfg.enable (lib.mkMerge [ config = lib.mkIf cfg.enable ( lib.mkMerge [ { assertions = [ { assertions = [{ assertion = pkgs.stdenv.hostPlatform.isx86; message = "Virtualbox not currently supported on ${pkgs.stdenv.hostPlatform.system}"; }]; } ]; environment.systemPackages = [ kernel.virtualboxGuestAdditions ]; Loading @@ -87,8 +108,7 @@ in serviceConfig.ExecStart = "@${kernel.virtualboxGuestAdditions}/bin/VBoxService VBoxService --foreground"; }; services.udev.extraRules = '' services.udev.extraRules = '' # /dev/vboxuser is necessary for VBoxClient to work. Maybe we # should restrict this to logged-in users. KERNEL=="vboxuser", OWNER="root", GROUP="root", MODE="0666" Loading @@ -99,20 +119,15 @@ in systemd.user.services.virtualboxClientVmsvga = mkVirtualBoxUserService "--vmsvga-session"; } ( lib.mkIf cfg.clipboard { (lib.mkIf cfg.clipboard { systemd.user.services.virtualboxClientClipboard = mkVirtualBoxUserService "--clipboard"; } ) ( lib.mkIf cfg.seamless { }) (lib.mkIf cfg.seamless { systemd.user.services.virtualboxClientSeamless = mkVirtualBoxUserService "--seamless"; } ) ( lib.mkIf cfg.dragAndDrop { }) (lib.mkIf cfg.dragAndDrop { systemd.user.services.virtualboxClientDragAndDrop = mkVirtualBoxUserService "--draganddrop"; } ) ]); }) ] ); } nixos/modules/virtualisation/virtualbox-host.nix +118 −82 Original line number Diff line number Diff line { config, lib, pkgs, ... }: { config, lib, pkgs, ... }: let cfg = config.virtualisation.virtualbox.host; virtualbox = cfg.package.override { inherit (cfg) enableHardening headless enableWebService enableKvm; inherit (cfg) enableHardening headless enableWebService enableKvm ; extensionPack = if cfg.enableExtensionPack then pkgs.virtualboxExtpack else null; }; Loading Loading @@ -93,93 +103,119 @@ in }; }; config = lib.mkIf cfg.enable (lib.mkMerge [{ warnings = lib.mkIf (pkgs.config.virtualbox.enableExtensionPack or false) ["'nixpkgs.virtualbox.enableExtensionPack' has no effect, please use 'virtualisation.virtualbox.host.enableExtensionPack'"]; config = lib.mkIf cfg.enable ( lib.mkMerge [ { warnings = lib.mkIf (pkgs.config.virtualbox.enableExtensionPack or false) [ "'nixpkgs.virtualbox.enableExtensionPack' has no effect, please use 'virtualisation.virtualbox.host.enableExtensionPack'" ]; environment.systemPackages = [ virtualbox ]; security.wrappers = let security.wrappers = let mkSuid = program: { source = "${virtualbox}/libexec/virtualbox/${program}"; owner = "root"; group = "vboxusers"; setuid = true; }; executables = [ executables = [ "VBoxHeadless" "VBoxNetAdpCtl" "VBoxNetDHCP" "VBoxNetNAT" "VBoxVolInfo" ] ++ (lib.optionals (!cfg.headless) [ ] ++ (lib.optionals (!cfg.headless) [ "VBoxSDL" "VirtualBoxVM" ]); in lib.mkIf cfg.enableHardening (builtins.listToAttrs (map (x: { name = x; value = mkSuid x; }) executables)); in lib.mkIf cfg.enableHardening ( builtins.listToAttrs ( map (x: { name = x; value = mkSuid x; }) executables ) ); users.groups.vboxusers.gid = config.ids.gids.vboxusers; services.udev.extraRules = '' services.udev.extraRules = '' SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" ''; } (lib.mkIf cfg.enableKvm { } (lib.mkIf cfg.enableKvm { assertions = [ { assertion = !cfg.addNetworkInterface; message = "VirtualBox KVM only supports standard NAT networking for VMs. Please turn off virtualisation.virtualbox.host.addNetworkInterface."; } ]; }) (lib.mkIf (!cfg.enableKvm) { boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ]; }) (lib.mkIf (!cfg.enableKvm) { boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ]; boot.extraModulePackages = [ kernelModules ]; services.udev.extraRules = '' services.udev.extraRules = '' KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd" KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" ''; # Since we lack the right setuid/setcap binaries, set up a host-only network by default. }) (lib.mkIf cfg.addNetworkInterface { systemd.services.vboxnet0 = { description = "VirtualBox vboxnet0 Interface"; }) (lib.mkIf cfg.addNetworkInterface { systemd.services.vboxnet0 = { description = "VirtualBox vboxnet0 Interface"; requires = [ "dev-vboxnetctl.device" ]; after = [ "dev-vboxnetctl.device" ]; wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ]; wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ]; path = [ virtualbox ]; serviceConfig.RemainAfterExit = true; serviceConfig.Type = "oneshot"; serviceConfig.PrivateTmp = true; environment.VBOX_USER_HOME = "/tmp"; script = '' script = '' if ! [ -e /sys/class/net/vboxnet0 ]; then VBoxManage hostonlyif create cat /tmp/VBoxSVC.log >&2 fi ''; postStop = '' postStop = '' VBoxManage hostonlyif remove vboxnet0 ''; }; networking.interfaces.vboxnet0.ipv4.addresses = [{ address = "192.168.56.1"; prefixLength = 24; }]; networking.interfaces.vboxnet0.ipv4.addresses = [ { address = "192.168.56.1"; prefixLength = 24; } ]; # Make sure NetworkManager won't assume this interface being up # means we have internet access. networking.networkmanager.unmanaged = [ "vboxnet0" ]; }) (lib.mkIf config.networking.useNetworkd { }) (lib.mkIf config.networking.useNetworkd { systemd.network.networks."40-vboxnet0".extraConfig = '' [Link] RequiredForOnline=no ''; }) ]); ] ); } nixos/tests/openssh.nix +9 −2 Original line number Diff line number Diff line Loading @@ -14,7 +14,10 @@ in { { ... }: { services.openssh.enable = true; services.openssh = { enable = true; authorizedKeysInHomedir = true; }; security.pam.services.sshd.limits = [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; users.users.root.openssh.authorizedKeys.keys = [ Loading @@ -39,7 +42,11 @@ in { { ... }: { services.openssh = { enable = true; startWhenNeeded = true; }; services.openssh = { enable = true; startWhenNeeded = true; authorizedKeysInHomedir = true; }; security.pam.services.sshd.limits = [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; users.users.root.openssh.authorizedKeys.keys = [ Loading Loading
nixos/doc/manual/release-notes/rl-2411.section.md +3 −0 Original line number Diff line number Diff line Loading @@ -406,6 +406,9 @@ * from `/var/log/private/gns3` to `/var/log/gns3` and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`). - The `sshd` module now doesn't include `%h/.ssh/authorized_keys` as `AuthorizedKeysFile` unless `services.openssh.authorizedKeysInHomedir` is set to `true` (the default is `false` for `stateVersion` 24.11 onwards). - Legacy package `stalwart-mail_0_6` was dropped, please note the [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md) before changing the package to `pkgs.stalwart-mail` in Loading
nixos/modules/services/networking/ssh/sshd.nix +17 −4 Original line number Diff line number Diff line Loading @@ -108,6 +108,10 @@ let }; usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u: lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0 )); authKeysFiles = let mkAuthKeyFile = u: lib.nameValuePair "ssh/authorized_keys.d/${u.name}" { mode = "0444"; Loading @@ -116,9 +120,6 @@ let ${lib.concatMapStrings (f: lib.readFile f + "\n") u.openssh.authorizedKeys.keyFiles} ''; }; usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u: lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0 )); in lib.listToAttrs (map mkAuthKeyFile usersWithKeys); authPrincipalsFiles = let Loading Loading @@ -302,7 +303,8 @@ in authorizedKeysInHomedir = lib.mkOption { type = lib.types.bool; default = true; default = lib.versionOlder config.system.stateVersion "24.11"; defaultText = lib.literalMD "`false` unless [](#opt-system.stateVersion) is 24.05 or older"; description = '' Enables the use of the `~/.ssh/authorized_keys` file. Loading Loading @@ -544,6 +546,17 @@ in config = lib.mkIf cfg.enable { warnings = lib.optional (with cfg; lib.all lib.id [ # ~/.ssh/authorized_keys is ignored and no custom file locations were set (authorizedKeysFiles == [ "/etc/ssh/authorized_keys.d/%u" ]) # no command provides authorized keys (authorizedKeysCommand == "none") # no users have keys in declarative configuration (usersWithKeys == []) # no authentication methods other than public keys are configured ((settings.PasswordAuthentication == false && !package.withKerberos) || settings.AuthenticationMethods == [ "publickey" ]) ]) "services.openssh: no keys were set in `users.users.*.openssh.authorizedKeys` and `~/.ssh/authorized_keys` will be ignored"; users.users.sshd = { isSystemUser = true; Loading
nixos/modules/virtualisation/virtualbox-guest.nix +53 −38 Original line number Diff line number Diff line # Module for VirtualBox guests. { config, lib, pkgs, ... }: { config, lib, pkgs, ... }: let cfg = config.virtualisation.virtualbox.guest; kernel = config.boot.kernelPackages; Loading Loading @@ -28,7 +33,20 @@ let in { imports = [ (lib.mkRenamedOptionModule [ "virtualisation" "virtualbox" "guest" "draganddrop" ] [ "virtualisation" "virtualbox" "guest" "dragAndDrop" ]) (lib.mkRenamedOptionModule [ "virtualisation" "virtualbox" "guest" "draganddrop" ] [ "virtualisation" "virtualbox" "guest" "dragAndDrop" ] ) ]; options.virtualisation.virtualbox.guest = { Loading Loading @@ -59,12 +77,15 @@ in ###### implementation config = lib.mkIf cfg.enable (lib.mkMerge [ config = lib.mkIf cfg.enable ( lib.mkMerge [ { assertions = [ { assertions = [{ assertion = pkgs.stdenv.hostPlatform.isx86; message = "Virtualbox not currently supported on ${pkgs.stdenv.hostPlatform.system}"; }]; } ]; environment.systemPackages = [ kernel.virtualboxGuestAdditions ]; Loading @@ -87,8 +108,7 @@ in serviceConfig.ExecStart = "@${kernel.virtualboxGuestAdditions}/bin/VBoxService VBoxService --foreground"; }; services.udev.extraRules = '' services.udev.extraRules = '' # /dev/vboxuser is necessary for VBoxClient to work. Maybe we # should restrict this to logged-in users. KERNEL=="vboxuser", OWNER="root", GROUP="root", MODE="0666" Loading @@ -99,20 +119,15 @@ in systemd.user.services.virtualboxClientVmsvga = mkVirtualBoxUserService "--vmsvga-session"; } ( lib.mkIf cfg.clipboard { (lib.mkIf cfg.clipboard { systemd.user.services.virtualboxClientClipboard = mkVirtualBoxUserService "--clipboard"; } ) ( lib.mkIf cfg.seamless { }) (lib.mkIf cfg.seamless { systemd.user.services.virtualboxClientSeamless = mkVirtualBoxUserService "--seamless"; } ) ( lib.mkIf cfg.dragAndDrop { }) (lib.mkIf cfg.dragAndDrop { systemd.user.services.virtualboxClientDragAndDrop = mkVirtualBoxUserService "--draganddrop"; } ) ]); }) ] ); }
nixos/modules/virtualisation/virtualbox-host.nix +118 −82 Original line number Diff line number Diff line { config, lib, pkgs, ... }: { config, lib, pkgs, ... }: let cfg = config.virtualisation.virtualbox.host; virtualbox = cfg.package.override { inherit (cfg) enableHardening headless enableWebService enableKvm; inherit (cfg) enableHardening headless enableWebService enableKvm ; extensionPack = if cfg.enableExtensionPack then pkgs.virtualboxExtpack else null; }; Loading Loading @@ -93,93 +103,119 @@ in }; }; config = lib.mkIf cfg.enable (lib.mkMerge [{ warnings = lib.mkIf (pkgs.config.virtualbox.enableExtensionPack or false) ["'nixpkgs.virtualbox.enableExtensionPack' has no effect, please use 'virtualisation.virtualbox.host.enableExtensionPack'"]; config = lib.mkIf cfg.enable ( lib.mkMerge [ { warnings = lib.mkIf (pkgs.config.virtualbox.enableExtensionPack or false) [ "'nixpkgs.virtualbox.enableExtensionPack' has no effect, please use 'virtualisation.virtualbox.host.enableExtensionPack'" ]; environment.systemPackages = [ virtualbox ]; security.wrappers = let security.wrappers = let mkSuid = program: { source = "${virtualbox}/libexec/virtualbox/${program}"; owner = "root"; group = "vboxusers"; setuid = true; }; executables = [ executables = [ "VBoxHeadless" "VBoxNetAdpCtl" "VBoxNetDHCP" "VBoxNetNAT" "VBoxVolInfo" ] ++ (lib.optionals (!cfg.headless) [ ] ++ (lib.optionals (!cfg.headless) [ "VBoxSDL" "VirtualBoxVM" ]); in lib.mkIf cfg.enableHardening (builtins.listToAttrs (map (x: { name = x; value = mkSuid x; }) executables)); in lib.mkIf cfg.enableHardening ( builtins.listToAttrs ( map (x: { name = x; value = mkSuid x; }) executables ) ); users.groups.vboxusers.gid = config.ids.gids.vboxusers; services.udev.extraRules = '' services.udev.extraRules = '' SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" ''; } (lib.mkIf cfg.enableKvm { } (lib.mkIf cfg.enableKvm { assertions = [ { assertion = !cfg.addNetworkInterface; message = "VirtualBox KVM only supports standard NAT networking for VMs. Please turn off virtualisation.virtualbox.host.addNetworkInterface."; } ]; }) (lib.mkIf (!cfg.enableKvm) { boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ]; }) (lib.mkIf (!cfg.enableKvm) { boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ]; boot.extraModulePackages = [ kernelModules ]; services.udev.extraRules = '' services.udev.extraRules = '' KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd" KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" ''; # Since we lack the right setuid/setcap binaries, set up a host-only network by default. }) (lib.mkIf cfg.addNetworkInterface { systemd.services.vboxnet0 = { description = "VirtualBox vboxnet0 Interface"; }) (lib.mkIf cfg.addNetworkInterface { systemd.services.vboxnet0 = { description = "VirtualBox vboxnet0 Interface"; requires = [ "dev-vboxnetctl.device" ]; after = [ "dev-vboxnetctl.device" ]; wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ]; wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ]; path = [ virtualbox ]; serviceConfig.RemainAfterExit = true; serviceConfig.Type = "oneshot"; serviceConfig.PrivateTmp = true; environment.VBOX_USER_HOME = "/tmp"; script = '' script = '' if ! [ -e /sys/class/net/vboxnet0 ]; then VBoxManage hostonlyif create cat /tmp/VBoxSVC.log >&2 fi ''; postStop = '' postStop = '' VBoxManage hostonlyif remove vboxnet0 ''; }; networking.interfaces.vboxnet0.ipv4.addresses = [{ address = "192.168.56.1"; prefixLength = 24; }]; networking.interfaces.vboxnet0.ipv4.addresses = [ { address = "192.168.56.1"; prefixLength = 24; } ]; # Make sure NetworkManager won't assume this interface being up # means we have internet access. networking.networkmanager.unmanaged = [ "vboxnet0" ]; }) (lib.mkIf config.networking.useNetworkd { }) (lib.mkIf config.networking.useNetworkd { systemd.network.networks."40-vboxnet0".extraConfig = '' [Link] RequiredForOnline=no ''; }) ]); ] ); }
nixos/tests/openssh.nix +9 −2 Original line number Diff line number Diff line Loading @@ -14,7 +14,10 @@ in { { ... }: { services.openssh.enable = true; services.openssh = { enable = true; authorizedKeysInHomedir = true; }; security.pam.services.sshd.limits = [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; users.users.root.openssh.authorizedKeys.keys = [ Loading @@ -39,7 +42,11 @@ in { { ... }: { services.openssh = { enable = true; startWhenNeeded = true; }; services.openssh = { enable = true; startWhenNeeded = true; authorizedKeysInHomedir = true; }; security.pam.services.sshd.limits = [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; users.users.root.openssh.authorizedKeys.keys = [ Loading
