Re: [Nix-dev] Change owner and permissions of a file in nix-store

2015-12-16 Thread Peter Jones 
Luca Bruno  writes:
> I think a good workaround to avoid using absolute paths in general (which
> thus allows for exchanging derivations between machines) may work as
> follows:
> 1. The derivation creates a tar. In a tar, you can set the permissions and
> ownership you want.
> 2. Create some activation script that untars the archive preserving the
> permissions under some path.

Wouldn't the tar be world-readable in the nix store?

-- 
Peter Jones, Founder, Devalot.com
Defending the honor of good code

___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] nixops deploying to libvirtd

2015-12-16 Thread Domen Kožar 
For leases, this is a bug in nixops, I'll open a PR.

On Wed, Dec 16, 2015 at 12:01 AM, Domen Kožar  wrote:

> Just FYI, /var/lib/libvirt/images needs to be writable by the user
> deploying using nixops.
>
> On Thu, Jun 18, 2015 at 11:00 PM, Richard Wallace <
> rwall...@thewallacepack.net> wrote:
>
>> Hello all,
>>
>> I'm trying to get a project setup to deploy to libvirtd locally instead
>> of VirtualBox because I've grown a bit tired of VirtualBox being so buggy.
>> But I'm having issues getting the libvirtd deployment going and I'm hoping
>> someone can help me along.
>>
>> I'm running NixOS on the host, so in my configuration.nix I added
>> "virtualisation.libvirtd.enabled = true;" and added my user into the
>> "libvirtd" group.
>>
>> When trying to deploy the first time, I received the error
>>
>> error: [Errno 13] Permission denied: '/var/lib/libvirt/images'
>>
>> So I went off and created it with 770 perms owned by root:libvirtd. After
>> trying to deploy again, I get
>>
>> error: [Errno 2] No such file or directory:
>> '/var/lib/libvirt/dnsmasq/default.leases'
>>
>> I'm not sure what I need to do now, so I'm a bit stuck. Any advice?
>>
>> Thanks,
>> Rich
>>
>> ___
>> nix-dev mailing list
>> nix-dev@lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>>
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Change owner and permissions of a file in nix-store

2015-12-16 Thread Eelco Dolstra 
Hi,

On 16/12/15 16:07, Augustin Borsu wrote:

> I'm using the following snippet to deploy a private key and certificate 
> to my server using nixops.
> I was wondering, is it possible to change the owner and permissions of 
> files in the nix-store?

No, this is not currently possible. There is a PR open for adding support for
private files [1].

An alternative solution would be support for encrypted files in the Nix store
(i.e. secrets get encrypted at evaluation time, and decrypted at runtime). I
implemented a prototype a while back [2], but it's not merged either.

[1] https://github.com/NixOS/nix/pull/329

[2]
https://github.com/edolstra/nix/commit/6b7003672ff8d73d2a1f3b6709b216b3d0a7ad9c,
example usage for wpa_supplicant.conf keys:
https://github.com/edolstra/nixpkgs/commit/4c8212069429bf9fb959e00ce8d9345ac7cb7ff0

-- 
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] loopback.cfg grub ISO boot

2015-12-16 Thread Peter Jones 
pille  writes:
> i recently configured my grub2 to boot some linux live-CD/DVD-ISOs via
> its loopback capability. while figuring out the parameters to get them
> booted is extremly painful and error-prone. but i found a nice
> "standard", which i'm asking you to implement.
>
> it's boils down to provide a loopback.cfg inside the ISO that can be
> sourced by grub's config and has access to some prepared variables.
> i guess it can be generated without much overhead, since you need to
> maintain your isolinux.cfg anyway.

Actually, this is really easy to do:

  1) Configure grub to load a NixOS ISO via loopback

  2) Make sure the ISO has a disk label, in my example it's ISOHOST

  3) Set up boot.initrd.postDeviceCommands so that NixOS boots off the ISO

I have an example nix file here:

  
https://github.com/pjones/nixpkgs/blob/gpg-iso/nixos/modules/installer/cd-dvd/gpg-iso.nix

Some additional notes can be found here:

  
https://github.com/pjones/encryption-utils/blob/master/doc/offline-usb-drive.md

-- 
Peter Jones, Founder, Devalot.com
Defending the honor of good code

___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] Non-root access to nixos-container

2015-12-16 Thread rohit yadav 
Hi,

After trying docker, rkt etc, I have found nixos-container to be best
suited for my application. However, I find ​a warning that root access to
the container should not be provided to any untrusted user. I am wondering
if I can create a normal user in a declarative container, would that be
safe? This may be a trivial question, I just want to be clear on this.

I have not been to able to run lxc container on NixOS yet. I would be
grateful if someone can share their success story in this regard. Docker
works fine but cannot create systemd-service to launch. Besides, the images
sizes are too big.

Thanks,
Rohit
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Change owner and permissions of a file in nix-store

2015-12-16 Thread Luca Bruno 
I think a good workaround to avoid using absolute paths in general (which
thus allows for exchanging derivations between machines) may work as
follows:
1. The derivation creates a tar. In a tar, you can set the permissions and
ownership you want.
2. Create some activation script that untars the archive preserving the
permissions under some path.

On Wed, Dec 16, 2015 at 7:35 PM, Eelco Dolstra 
wrote:

> Hi,
>
> On 16/12/15 16:07, Augustin Borsu wrote:
>
> > I'm using the following snippet to deploy a private key and certificate
> > to my server using nixops.
> > I was wondering, is it possible to change the owner and permissions of
> > files in the nix-store?
>
> No, this is not currently possible. There is a PR open for adding support
> for
> private files [1].
>
> An alternative solution would be support for encrypted files in the Nix
> store
> (i.e. secrets get encrypted at evaluation time, and decrypted at runtime).
> I
> implemented a prototype a while back [2], but it's not merged either.
>
> [1] https://github.com/NixOS/nix/pull/329
>
> [2]
>
> https://github.com/edolstra/nix/commit/6b7003672ff8d73d2a1f3b6709b216b3d0a7ad9c
> ,
> example usage for wpa_supplicant.conf keys:
>
> https://github.com/edolstra/nixpkgs/commit/4c8212069429bf9fb959e00ce8d9345ac7cb7ff0
>
> --
> Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>



-- 
NixOS Linux 
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] loopback.cfg grub ISO boot

2015-12-16 Thread pille 
hi,

since i don't know in which github subproject i should file a feature
request, i'm trying this list hoping either to get a pointer where to
post my request, or hear that you'll accept an implement it straight
away ;-)

i recently configured my grub2 to boot some linux live-CD/DVD-ISOs via
its loopback capability. while figuring out the parameters to get them
booted is extremly painful and error-prone. but i found a nice
"standard", which i'm asking you to implement.

it's boils down to provide a loopback.cfg inside the ISO that can be
sourced by grub's config and has access to some prepared variables.
i guess it can be generated without much overhead, since you need to
maintain your isolinux.cfg anyway.

that way i just need to point grub to the ISO and it's capable to boot
it. i'm currently using it to provide a Linux Mint for guest users of my
laptop, who don't have access to my FDE (except boot partition)

http://www.supergrubdisk.org/wiki/Loopback.cfg

cheers
  pille
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Non-root access to nixos-container

2015-12-16 Thread joachifm 
On Wed, Dec 16, 2015, at 08:46 PM, rohit yadav wrote:
> Hi,

Hi,

> After trying docker, rkt etc, I have found nixos-container to be best
> suited for my application. However, I find ​a warning that root access to
> the container should not be provided to any untrusted user. I am
> wondering
> if I can create a normal user in a declarative container, would that be
> safe? This may be a trivial question, I just want to be clear on this.

Depending on your setup, having root in the container may be equivalent
to having root on the host. Compared to that situation, executing as an
unprivileged user within the container appears to improve security. That
said, if a container solution CAN adversely affect the host system, it
is prudent to assume that a malicious user will find a way to make that
happen (whether anyone will care to try is another matter). This caveat
very much applies to NixOS containers, which are implemented by
executing `systemd-nspawn` as root on the host system. 

Systemd-nspawn upstream explicitly states that lightweight containers
are insecure and not to be relied on to do much beyond preventing
accidental damage to the host system. If security is your only reason
for using containers, consider whether you're meaningfully improving
security compared to running the service as an unprivileged user on the
host and not actually making things worse by introducing additional
complexity.

HTH,
Joachim
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] Change owner and permissions of a file in nix-store

2015-12-16 Thread Augustin Borsu 
I'm using the following snippet to deploy a private key and certificate 
to my server using nixops.
I was wondering, is it possible to change the owner and permissions of 
files in the nix-store?
It seems to me this would be more secure if the certificate and key was 
only accessible by the user launching apache and not by everyone else.

Thanks.

services = {
   httpd = {
 enable = true;
 sslServerCert = builtins.toFile "ssl.crt" (builtins.readFile 
./private/local.crt);
 sslServerKey = builtins.toFile "ssl.key" (builtins.readFile 
./private/local.key);
 enableSSL = true;
   };
};
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] Working on Erlang packages

2015-12-16 Thread Gleb Peregud 
Hello Nix devs

I have started working on bringing in wealth of Erlang packages into Nix
world. Foundation of the work has been merged into master:
https://github.com/NixOS/nixpkgs/pull/11651

An tracking issue is here:
https://github.com/NixOS/nixpkgs/issues/11748

TL;DR: Import packages from Hex.pm and build them with rebar3. Make
maintenance as automatic as possible with tooling to what is done for
Haskell.

Please refer to the issue for more details.

Cheers,
Gleb
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Change owner and permissions of a file in nix-store

2015-12-16 Thread Игорь Пашев 
I'd suggest to use NixOps keys and these tricks
http://lists.science.uu.nl/pipermail/nix-dev/2015-November/018806.html

2015-12-16 18:07 GMT+03:00 Augustin Borsu :
> I'm using the following snippet to deploy a private key and certificate
> to my server using nixops.
> I was wondering, is it possible to change the owner and permissions of
> files in the nix-store?
> It seems to me this would be more secure if the certificate and key was
> only accessible by the user launching apache and not by everyone else.
>
> Thanks.
>
> services = {
>httpd = {
>  enable = true;
>  sslServerCert = builtins.toFile "ssl.crt" (builtins.readFile
> ./private/local.crt);
>  sslServerKey = builtins.toFile "ssl.key" (builtins.readFile
> ./private/local.key);
>  enableSSL = true;
>};
> };
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] journald and /var/log on a separate device

2015-12-16 Thread Игорь Пашев 
I tried to use /var/log on a separate disk.
After first deployment of VBox (via NixOps)
/var/log is mounted, but empty:

$ ls -lh /var/log/
total 16K
drwx-- 2 root root 16K Dec 17 00:28 lost+found

$ sudo journalctl
No journal files were found.


It seems that this stuff is executed before mount:
https://github.com/NixOS/nixpkgs/commit/538958bf17b7493e38ccc07d3405f979fd40e4b8

Then I deployed again (with out changes actually, just activation),
and /var/log/journal was create, but only readable by root:

$ ls -lh /var/log/journal/ -d
drwx-- 2 root root 4.0K Dec 17 00:34 /var/log/journal

It sounds like activation script is not the best place for making
/var/log/journal
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev