2009-05-29 10:25:56 -04:00
|
|
|
# This module defines the global list of uids and gids. We keep a
|
2013-08-10 17:07:13 -04:00
|
|
|
# central list to prevent id collisions.
|
2009-05-29 10:25:56 -04:00
|
|
|
|
2014-05-05 14:58:51 -04:00
|
|
|
{ config, pkgs, lib, ... }:
|
2009-05-29 10:25:56 -04:00
|
|
|
|
2013-09-04 07:05:09 -04:00
|
|
|
{
|
2009-05-29 10:25:56 -04:00
|
|
|
options = {
|
|
|
|
|
2014-05-05 14:58:51 -04:00
|
|
|
ids.uids = lib.mkOption {
|
2013-10-30 12:37:45 -04:00
|
|
|
internal = true;
|
2009-05-29 10:25:56 -04:00
|
|
|
description = ''
|
|
|
|
The user IDs used in NixOS.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2014-05-05 14:58:51 -04:00
|
|
|
ids.gids = lib.mkOption {
|
2013-10-30 12:37:45 -04:00
|
|
|
internal = true;
|
2009-05-29 10:25:56 -04:00
|
|
|
description = ''
|
|
|
|
The group IDs used in NixOS.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
2011-09-14 14:20:50 -04:00
|
|
|
|
2013-09-04 07:05:09 -04:00
|
|
|
config = {
|
2007-06-08 11:41:12 -04:00
|
|
|
|
2013-09-04 07:05:09 -04:00
|
|
|
ids.uids = {
|
|
|
|
root = 0;
|
|
|
|
nscd = 1;
|
|
|
|
sshd = 2;
|
|
|
|
ntp = 3;
|
|
|
|
messagebus = 4; # D-Bus
|
|
|
|
haldaemon = 5;
|
|
|
|
nagios = 6;
|
|
|
|
vsftpd = 7;
|
|
|
|
ftp = 8;
|
|
|
|
bitlbee = 9;
|
|
|
|
avahi = 10;
|
|
|
|
atd = 12;
|
|
|
|
zabbix = 13;
|
|
|
|
postfix = 14;
|
|
|
|
dovecot = 15;
|
|
|
|
tomcat = 16;
|
|
|
|
pulseaudio = 22; # must match `pulseaudio' GID
|
|
|
|
gpsd = 23;
|
|
|
|
polkituser = 28;
|
|
|
|
uptimed = 29;
|
|
|
|
ddclient = 30;
|
|
|
|
davfs2 = 31;
|
|
|
|
privoxy = 32;
|
|
|
|
osgi = 34;
|
|
|
|
tor = 35;
|
|
|
|
cups = 36;
|
2014-04-29 04:51:42 -04:00
|
|
|
foldingathome = 37;
|
2013-09-04 07:05:09 -04:00
|
|
|
sabnzbd = 38;
|
|
|
|
kdm = 39;
|
2014-04-29 04:51:42 -04:00
|
|
|
ghostone = 40;
|
2013-09-04 07:05:09 -04:00
|
|
|
git = 41;
|
2014-04-29 04:51:42 -04:00
|
|
|
fourstore = 42;
|
|
|
|
fourstorehttp = 43;
|
2013-09-04 07:05:09 -04:00
|
|
|
virtuoso = 44;
|
|
|
|
rtkit = 45;
|
|
|
|
dovecot2 = 46;
|
|
|
|
dovenull2 = 47;
|
|
|
|
unbound = 48;
|
|
|
|
prayer = 49;
|
|
|
|
mpd = 50;
|
|
|
|
clamav = 51;
|
|
|
|
fprot = 52;
|
|
|
|
bind = 53;
|
|
|
|
wwwrun = 54;
|
|
|
|
spamd = 56;
|
|
|
|
nslcd = 58;
|
|
|
|
nginx = 60;
|
|
|
|
chrony = 61;
|
|
|
|
smtpd = 63;
|
|
|
|
smtpq = 64;
|
|
|
|
supybot = 65;
|
|
|
|
iodined = 66;
|
|
|
|
graphite = 68;
|
|
|
|
statsd = 69;
|
|
|
|
transmission = 70;
|
|
|
|
postgres = 71;
|
2014-09-05 18:45:47 -04:00
|
|
|
smbguest = 74; # unused
|
2013-09-04 07:05:09 -04:00
|
|
|
varnish = 75;
|
2014-05-02 01:43:27 -04:00
|
|
|
datadog = 76;
|
2013-09-04 07:05:09 -04:00
|
|
|
lighttpd = 77;
|
|
|
|
lightdm = 78;
|
|
|
|
freenet = 79;
|
|
|
|
ircd = 80;
|
|
|
|
bacula = 81;
|
|
|
|
almir = 82;
|
|
|
|
deluge = 83;
|
|
|
|
mysql = 84;
|
|
|
|
rabbitmq = 85;
|
|
|
|
activemq = 86;
|
|
|
|
gnunet = 87;
|
|
|
|
oidentd = 88;
|
|
|
|
quassel = 89;
|
|
|
|
amule = 90;
|
|
|
|
minidlna = 91;
|
|
|
|
elasticsearch = 92;
|
2013-09-17 05:22:31 -04:00
|
|
|
tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
|
2013-10-02 09:14:35 -04:00
|
|
|
zope2 = 94;
|
2013-10-05 17:07:22 -04:00
|
|
|
firebird = 95;
|
2013-10-28 13:14:01 -04:00
|
|
|
redis = 96;
|
2013-10-29 10:55:25 -04:00
|
|
|
haproxy = 97;
|
2013-11-07 05:25:14 -05:00
|
|
|
mongodb = 98;
|
2013-11-28 16:21:50 -05:00
|
|
|
openldap = 99;
|
2013-12-13 04:05:36 -05:00
|
|
|
memcached = 100;
|
2014-01-12 18:18:05 -05:00
|
|
|
cgminer = 101;
|
2014-02-07 17:08:15 -05:00
|
|
|
munin = 102;
|
2014-02-11 08:19:06 -05:00
|
|
|
logcheck = 103;
|
2014-02-20 12:34:54 -05:00
|
|
|
nix-ssh = 104;
|
2014-02-21 06:40:05 -05:00
|
|
|
dictd = 105;
|
2014-02-27 08:33:30 -05:00
|
|
|
couchdb = 106;
|
2014-03-07 14:09:59 -05:00
|
|
|
searx = 107;
|
2014-03-12 03:32:56 -04:00
|
|
|
kippo = 108;
|
2014-02-10 15:07:12 -05:00
|
|
|
jenkins = 109;
|
2014-03-14 19:16:59 -04:00
|
|
|
systemd-journal-gateway = 110;
|
2014-03-13 04:45:57 -04:00
|
|
|
notbit = 111;
|
2014-03-19 22:04:35 -04:00
|
|
|
ngircd = 112;
|
2014-02-21 14:05:12 -05:00
|
|
|
btsync = 113;
|
2014-03-29 05:48:33 -04:00
|
|
|
minecraft = 114;
|
2014-04-01 13:20:33 -04:00
|
|
|
monetdb = 115;
|
2014-04-05 14:23:29 -04:00
|
|
|
rippled = 116;
|
2014-04-05 15:18:14 -04:00
|
|
|
murmur = 117;
|
2014-04-02 12:01:25 -04:00
|
|
|
foundationdb = 118;
|
|
|
|
newrelic = 119;
|
|
|
|
starbound = 120;
|
2014-04-29 04:45:06 -04:00
|
|
|
hydra = 122;
|
|
|
|
spiped = 123;
|
2014-03-28 20:40:30 -04:00
|
|
|
teamspeak = 124;
|
2014-05-27 16:54:43 -04:00
|
|
|
influxdb = 125;
|
2014-06-12 05:20:43 -04:00
|
|
|
nsd = 126;
|
2014-06-25 23:32:45 -04:00
|
|
|
gitolite = 127;
|
2014-07-03 12:30:11 -04:00
|
|
|
znc = 128;
|
2014-07-15 10:16:58 -04:00
|
|
|
polipo = 129;
|
2014-07-28 13:52:32 -04:00
|
|
|
mopidy = 130;
|
2014-08-05 17:00:30 -04:00
|
|
|
unifi = 131;
|
2014-04-02 12:21:00 -04:00
|
|
|
gdm = 132;
|
2014-06-25 04:28:53 -04:00
|
|
|
dhcpd = 133;
|
2014-07-10 14:08:38 -04:00
|
|
|
siproxd = 134;
|
2014-07-08 18:43:26 -04:00
|
|
|
mlmmj = 135;
|
2014-08-16 17:53:26 -04:00
|
|
|
neo4j = 136;
|
2014-08-23 11:04:34 -04:00
|
|
|
riemann = 137;
|
2014-08-23 11:39:45 -04:00
|
|
|
riemanndash = 138;
|
2014-06-27 02:45:04 -04:00
|
|
|
radvd = 139;
|
2014-08-24 11:43:45 -04:00
|
|
|
zookeeper = 140;
|
2014-07-02 18:59:35 -04:00
|
|
|
dnsmasq = 141;
|
2014-09-01 02:53:00 -04:00
|
|
|
uhub = 142;
|
2014-09-26 04:44:09 -04:00
|
|
|
yandexdisk = 143;
|
|
|
|
collectd = 144;
|
|
|
|
consul = 145;
|
2014-09-26 04:03:29 -04:00
|
|
|
mailpile = 146;
|
2014-10-07 04:53:01 -04:00
|
|
|
redmine = 147;
|
2014-10-06 15:25:10 -04:00
|
|
|
seeks = 148;
|
2014-10-20 11:22:01 -04:00
|
|
|
prosody = 149;
|
2014-11-09 03:44:47 -05:00
|
|
|
i2pd = 150;
|
2014-11-11 14:12:28 -05:00
|
|
|
dnscrypt-proxy = 151;
|
2014-11-19 18:01:44 -05:00
|
|
|
systemd-network = 152;
|
|
|
|
systemd-resolve = 153;
|
|
|
|
systemd-timesync = 154;
|
2014-11-20 17:30:24 -05:00
|
|
|
liquidsoap = 155;
|
2014-11-15 10:27:27 -05:00
|
|
|
etcd = 156;
|
2014-11-21 11:20:14 -05:00
|
|
|
docker-registry = 157;
|
2014-11-20 06:29:07 -05:00
|
|
|
hbase = 158;
|
2014-11-20 07:00:53 -05:00
|
|
|
opentsdb = 159;
|
2014-11-20 09:38:04 -05:00
|
|
|
scollector = 160;
|
2014-11-20 09:49:45 -05:00
|
|
|
bosun = 161;
|
2014-11-29 10:46:39 -05:00
|
|
|
kubernetes = 162;
|
2014-12-01 10:40:42 -05:00
|
|
|
peerflix = 163;
|
2014-12-03 09:49:14 -05:00
|
|
|
chronos = 164;
|
2014-10-25 12:22:49 -04:00
|
|
|
gitlab = 165;
|
2014-12-20 17:38:52 -05:00
|
|
|
tox-bootstrapd = 166;
|
2014-12-28 14:21:41 -05:00
|
|
|
cadvisor = 167;
|
2015-01-14 16:08:19 -05:00
|
|
|
nylon = 168;
|
2014-09-02 11:08:56 -04:00
|
|
|
|
2014-04-29 04:45:06 -04:00
|
|
|
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
|
2008-03-06 12:11:22 -05:00
|
|
|
|
2013-09-04 07:05:09 -04:00
|
|
|
nixbld = 30000; # start of range of uids
|
|
|
|
nobody = 65534;
|
|
|
|
};
|
|
|
|
|
|
|
|
ids.gids = {
|
|
|
|
root = 0;
|
|
|
|
wheel = 1;
|
|
|
|
kmem = 2;
|
|
|
|
tty = 3;
|
|
|
|
messagebus = 4; # D-Bus
|
|
|
|
haldaemon = 5;
|
|
|
|
disk = 6;
|
|
|
|
vsftpd = 7;
|
|
|
|
ftp = 8;
|
|
|
|
bitlbee = 9;
|
|
|
|
avahi = 10;
|
|
|
|
atd = 12;
|
|
|
|
postfix = 13;
|
|
|
|
postdrop = 14;
|
|
|
|
dovecot = 15;
|
|
|
|
audio = 17;
|
|
|
|
floppy = 18;
|
|
|
|
uucp = 19;
|
|
|
|
lp = 20;
|
|
|
|
tomcat = 21;
|
|
|
|
pulseaudio = 22; # must match `pulseaudio' UID
|
|
|
|
gpsd = 23;
|
|
|
|
cdrom = 24;
|
|
|
|
tape = 25;
|
|
|
|
video = 26;
|
|
|
|
dialout = 27;
|
2013-11-09 10:29:18 -05:00
|
|
|
#polkituser = 28; # currently unused, polkitd doesn't need a group
|
2013-09-04 07:05:09 -04:00
|
|
|
utmp = 29;
|
|
|
|
davfs2 = 31;
|
|
|
|
privoxy = 32;
|
|
|
|
disnix = 33;
|
|
|
|
osgi = 34;
|
2014-12-06 04:37:31 -05:00
|
|
|
tor = 35;
|
2013-09-04 07:05:09 -04:00
|
|
|
ghostOne = 40;
|
|
|
|
git = 41;
|
2014-04-29 04:51:42 -04:00
|
|
|
fourstore = 42;
|
|
|
|
fourstorehttpd = 43;
|
2013-09-04 07:05:09 -04:00
|
|
|
virtuoso = 44;
|
|
|
|
dovecot2 = 46;
|
|
|
|
prayer = 49;
|
|
|
|
mpd = 50;
|
|
|
|
clamav = 51;
|
|
|
|
fprot = 52;
|
|
|
|
wwwrun = 54;
|
|
|
|
adm = 55;
|
|
|
|
spamd = 56;
|
|
|
|
networkmanager = 57;
|
|
|
|
nslcd = 58;
|
|
|
|
scanner = 59;
|
|
|
|
nginx = 60;
|
|
|
|
systemd-journal = 62;
|
|
|
|
smtpd = 63;
|
|
|
|
smtpq = 64;
|
|
|
|
supybot = 65;
|
|
|
|
iodined = 66;
|
|
|
|
libvirtd = 67;
|
|
|
|
graphite = 68;
|
|
|
|
transmission = 70;
|
|
|
|
postgres = 71;
|
|
|
|
vboxusers = 72;
|
|
|
|
vboxsf = 73;
|
2014-09-05 18:45:47 -04:00
|
|
|
smbguest = 74; # unused
|
2013-09-04 07:05:09 -04:00
|
|
|
varnish = 75;
|
2014-05-02 01:43:27 -04:00
|
|
|
datadog = 76;
|
2013-09-04 07:05:09 -04:00
|
|
|
lighttpd = 77;
|
|
|
|
lightdm = 78;
|
|
|
|
freenet = 79;
|
|
|
|
ircd = 80;
|
|
|
|
bacula = 81;
|
|
|
|
almir = 82;
|
|
|
|
deluge = 83;
|
|
|
|
mysql = 84;
|
|
|
|
rabbitmq = 85;
|
|
|
|
activemq = 86;
|
|
|
|
gnunet = 87;
|
|
|
|
oidentd = 88;
|
|
|
|
quassel = 89;
|
|
|
|
amule = 90;
|
|
|
|
minidlna = 91;
|
2013-10-29 10:55:25 -04:00
|
|
|
haproxy = 92;
|
2013-11-28 16:21:50 -05:00
|
|
|
openldap = 93;
|
2014-01-03 19:13:26 -05:00
|
|
|
connman = 94;
|
2014-02-07 17:08:15 -05:00
|
|
|
munin = 95;
|
2014-02-11 07:00:10 -05:00
|
|
|
keys = 96;
|
2014-02-21 06:40:05 -05:00
|
|
|
dictd = 105;
|
2014-02-27 08:33:30 -05:00
|
|
|
couchdb = 106;
|
2014-03-07 14:09:59 -05:00
|
|
|
searx = 107;
|
2014-03-12 03:32:56 -04:00
|
|
|
kippo = 108;
|
2014-02-10 15:07:12 -05:00
|
|
|
jenkins = 109;
|
2014-03-14 19:16:59 -04:00
|
|
|
systemd-journal-gateway = 110;
|
2014-03-13 04:45:57 -04:00
|
|
|
notbit = 111;
|
2014-12-28 06:47:12 -05:00
|
|
|
btsync = 113;
|
2014-04-01 13:41:37 -04:00
|
|
|
monetdb = 115;
|
2014-04-02 12:01:25 -04:00
|
|
|
foundationdb = 118;
|
|
|
|
newrelic = 119;
|
|
|
|
starbound = 120;
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 15:18:12 -04:00
|
|
|
grsecurity = 121;
|
2014-04-15 03:28:01 -04:00
|
|
|
hydra = 122;
|
2014-04-15 04:21:53 -04:00
|
|
|
spiped = 123;
|
2014-03-28 20:40:30 -04:00
|
|
|
teamspeak = 124;
|
2014-05-27 16:54:43 -04:00
|
|
|
influxdb = 125;
|
2014-06-12 05:20:43 -04:00
|
|
|
nsd = 126;
|
2014-07-04 07:48:26 -04:00
|
|
|
firebird = 127;
|
2014-07-03 12:30:11 -04:00
|
|
|
znc = 128;
|
2014-07-15 10:16:58 -04:00
|
|
|
polipo = 129;
|
2014-07-28 13:52:32 -04:00
|
|
|
mopidy = 130;
|
2014-07-27 18:00:59 -04:00
|
|
|
docker = 131;
|
2014-04-02 12:21:00 -04:00
|
|
|
gdm = 132;
|
2014-08-12 13:24:08 -04:00
|
|
|
tss = 133;
|
2014-07-10 14:08:38 -04:00
|
|
|
siproxd = 134;
|
2014-07-08 18:43:26 -04:00
|
|
|
mlmmj = 135;
|
2014-08-23 11:04:34 -04:00
|
|
|
riemann = 137;
|
2014-08-23 11:39:45 -04:00
|
|
|
riemanndash = 138;
|
2014-11-20 06:29:07 -05:00
|
|
|
hbase = 139;
|
2014-11-20 07:00:53 -05:00
|
|
|
opentsdb = 140;
|
2014-09-01 02:53:00 -04:00
|
|
|
uhub = 142;
|
2014-09-26 04:03:29 -04:00
|
|
|
mailpile = 146;
|
2014-10-07 04:53:01 -04:00
|
|
|
redmine = 147;
|
2014-10-06 15:25:10 -04:00
|
|
|
seeks = 148;
|
2014-10-20 11:22:01 -04:00
|
|
|
prosody = 149;
|
2014-11-09 03:44:47 -05:00
|
|
|
i2pd = 150;
|
2014-11-19 18:01:44 -05:00
|
|
|
systemd-network = 152;
|
|
|
|
systemd-resolve = 153;
|
|
|
|
systemd-timesync = 154;
|
2014-11-20 17:30:24 -05:00
|
|
|
liquidsoap = 155;
|
2014-12-07 15:52:52 -05:00
|
|
|
fleet = 159;
|
2015-01-05 05:58:17 -05:00
|
|
|
scollector = 160;
|
|
|
|
bosun = 161;
|
|
|
|
kubernetes = 162;
|
|
|
|
gitlab = 165;
|
2015-01-14 16:08:19 -05:00
|
|
|
nylon = 166;
|
2014-09-02 11:08:56 -04:00
|
|
|
|
2015-01-05 05:58:17 -05:00
|
|
|
# When adding a gid, make sure it doesn't match an existing
|
|
|
|
# uid. Users and groups with the same name should have equal
|
|
|
|
# uids and gids. Also, don't use gids above 399!
|
2011-04-15 12:10:17 -04:00
|
|
|
|
2013-09-04 07:05:09 -04:00
|
|
|
users = 100;
|
|
|
|
nixbld = 30000;
|
|
|
|
nogroup = 65534;
|
|
|
|
};
|
2009-08-11 05:17:30 -04:00
|
|
|
|
2007-06-08 11:41:12 -04:00
|
|
|
};
|
|
|
|
|
|
|
|
}
|