Commit Graph

325 Commits

Author SHA1 Message Date
Emily
b0d5032ee4 nixos/hardened: add emily to maintainers 2020-04-17 16:13:39 +01:00
Emily
ad9bfe2254 nixos/hardened: enable user namespaces for root
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f.

This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.

We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.

Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:

    boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
2020-04-17 16:13:39 +01:00
Emily
84f258bf09 nixos/hardened: don't set vm.unprivileged_userfaultfd
Upstreamed in anthraxx/linux-hardened@a712392b88.
2020-04-17 16:13:39 +01:00
Emily
cc28d51237 nixos/hardened: don't set vm.mmap_min_addr
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd.
2020-04-17 16:13:39 +01:00
Emily
46d12cca56 nixos/hardened: don't set vm.mmap_rnd{,_compat}_bits
Upstreamed in anthraxx/linux-hardened@ae6d85f437.
2020-04-17 16:13:39 +01:00
Emily
af4f57b2c4 nixos/hardened: don't set net.core.bpf_jit_harden
Upstreamed in anthraxx/linux-hardened@82e384401d.
2020-04-17 16:13:39 +01:00
Emily
71bbd876b7 nixos/hardened: don't set kernel.unprivileged_bpf_disabled
Upstreamed in anthraxx/linux-hardened@1a3e0c2830.
2020-04-17 16:13:39 +01:00
Emily
9da578a78f nixos/hardened: don't set kernel.dmesg_restrict
Upstreamed in anthraxx/linux-hardened@e3d3f13ffb.
2020-04-17 16:13:39 +01:00
Emily
cf1bce6a7a nixos/hardened: don't set vsyscall=none
Upstreamed in anthraxx/linux-hardened@d300b0fdad.
2020-04-17 16:13:39 +01:00
Emily
3b32cd2a5b nixos/hardened: don't set slab_nomerge
Upstreamed in anthraxx/linux-hardened@df29f9248c.
2020-04-17 16:13:39 +01:00
Florian Klink
a8989b353a Revert "nixos/hardened: build sandbox incompatible with namespaces"
As discussed in https://github.com/NixOS/nixpkgs/pull/73763, prevailing
consensus is to revert that commit. People use the hardened profile on
machines and run nix builds, and there's no good reason to use
unsandboxed builds at all unless you're in a platform that doesn't
support them.

This reverts commit 00ac71ab19.
2020-04-05 17:38:15 +02:00
Joachim F
18b89e7abd
Merge pull request #73763 from kmcopper/hardening-profile
Improvements to the NixOS Hardened Profile
2020-04-03 18:48:12 +00:00
Eelco Dolstra
bd379be538
Remove unused 'rogue' service 2020-03-24 15:25:20 +01:00
Eelco Dolstra
aebf9a4709
services/misc/nixos-manual.nix: Remove
Running the manual on a TTY is useless in the graphical ISOs and not
particularly useful in non-graphical ISOs (since you can also run
'nixos-help').

Fixes #83157.
2020-03-24 15:25:20 +01:00
Thomas Tuegel
757c7f3773
docker-container: Remove /etc symlink
The system output usually contains a symlink from /etc to the static
configuration for the benefit of the stage-1 script in the initrd. The stage-2
script is usually started in the real root without such a symlink. In a
container, there is no stage-1 and the system output is used directly as a real
root. If the symlink is present, setup-etc.pl will create a symlink cycle and
the system cannot boot. There is no reason for the /etc link to exist in a
container because setup-etc.pl will create the necessary files. The container
module will now remove the /etc symlink and create an empty directory. The empty
/etc is for container managers to populate it with site-specific settings; for
example, to set the hostname. This is required to boot NixOS in an LXC container
on another host.

See also: #9735
2019-11-27 15:51:19 -06:00
Kyle Copperfield
759968a612 nixos/hardened: scudo default allocator. zero by default allow override. 2019-11-26 08:50:35 +00:00
Jan Tojnar
77661f8cfd
nixos/plasma5: drop enableQt4Support option
Phonon no longer supports Qt4 so this is useless.
2019-11-22 09:01:05 +01:00
Kyle Copperfield
00ac71ab19 nixos/hardened: build sandbox incompatible with namespaces
Disables the build sandbox by default to avoid incompatibility with
defaulting user namespaces to false. Ideally there would be some kind of
linux kernel feature that allows us to trust nix-daemon builders to
allow both nix sandbox builds and disabling untrusted naemspaces at the
same time.
2019-11-19 14:56:09 +00:00
Elis Hirwing
4403cd16f9
profiles/graphical.nix: Drop systemWide pulseaudio in iso
It's not needed since #66338 and should have been done earlier.

This is based on a follow-up on #56167.
2019-11-11 17:07:42 +01:00
Franz Pletz
ec6224b6cd Revert "installer: Disable udisks"
This reverts commit 571fb74f44.

The dependency on gtk2 was removed.

Co-authored-by: Florian Klink <flokli@flokli.de>
2019-10-16 20:31:24 -04:00
Joachim F
5bea2997fe
nixos/hardened: blacklist old filesystems (#70482)
The rationale for this is that old filesystems have recieved little scrutiny
wrt. security relevant bugs.

Lifted from OpenSUSE[1].

[1]: 8cb42fb665

Co-Authored-By: Renaud <c0bw3b@users.noreply.github.com>
2019-10-12 10:08:44 +00:00
Matthieu Coudron
c27360ae47 qemu-guest: allow to override security.rngd
... otherwise enabling it causes a merge conflict.

Enabling it was necessary to give enough entropy for the sshd daemon in
my libvirt/nixops VM to generate keys see
https://github.com/NixOS/nixops/issues/1199.
2019-09-18 00:35:04 +09:00
Florian Klink
4e586dea50
Merge pull request #63773 from flokli/installation-device-fixes
installation-device.nix: explain sshd usage, don't include clone-config
2019-08-31 02:59:23 +02:00
Marek Mahut
7a4b296c8d
Merge pull request #66687 from joachifm/feat/hardened-nixos-revert-graphene-malloc
Revert "nixos/hardened: use graphene-hardened malloc by default"
2019-08-19 20:56:07 +02:00
Florian Klink
f71fd79ff0 nixos/installation-device.nix: explain sshd usage 2019-08-19 16:34:06 +02:00
Florian Klink
9be0327a49 nixos/systemd: install sysctl snippets
systemd provides two sysctl snippets, 50-coredump.conf and
50-default.conf.

These enable:
 - Loose reverse path filtering
 - Source route filtering
 - `fq_codel` as a packet scheduler (this helps to fight bufferbloat)

This also configures the kernel to pass coredumps to `systemd-coredump`.
These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`,
and overridden via `boot.kernel.sysctl`
(which will place the parameters in `/etc/sysctl.d/60-nixos.conf`.

Let's start using these, like other distros already do for quite some
time, and remove those duplicate `boot.kernel.sysctl` options we
previously did set.

In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.
2019-08-18 17:54:26 +02:00
Joachim Fasting
4ead3d2ec3
Revert "nixos/hardened: use graphene-hardened malloc by default"
This reverts commit 48ff4f1197.

Causes too much breakage to be enabled by default [1][2].

[1]: https://github.com/NixOS/nixpkgs/issues/61489
[2]: https://github.com/NixOS/nixpkgs/issues/65000
2019-08-15 18:49:57 +02:00
Joachim Fasting
da0b67c946
nixos-hardened: disable unprivileged userfaultfd syscalls
New in 5.2 [1]

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
2019-08-15 18:43:34 +02:00
Joachim Fasting
4b21d1ac8c
nixos-hardened: enable page alloc randomization 2019-08-15 18:43:32 +02:00
worldofpeace
397c7d26fc installer: Don't run as root
There's many reason why it is and is going to
continue to be difficult to do this:

1. All display-managers (excluding slim) default PAM rules
   disallow root auto login.

2. We can't use wayland

3. We have to use system-wide pulseaudio

4. It could break applications in the session.
   This happened to dolphin in plasma5
   in the past.

This is a growing technical debt, let's just use
passwordless sudo.
2019-08-12 14:45:27 -04:00
Pierre Bourdon
67b7e70865
nixos/hardened: make pti=on overridable
Introduces a new security.forcePageTableIsolation option (default false
on !hardened, true on hardened) that forces pti=on.
2019-07-30 02:24:56 +02:00
Marek Mahut
e72f25673d Renaming security.virtualization.flushL1DataCache to virtualisation
Fixes #65044
2019-07-19 15:49:37 +02:00
Joachim Fasting
c3cc7034e2
nixos/hardened: harder inet defaults
See e.g., https://github.com/NixOS/nixpkgs/issues/63768

Forwarding remains enabled for now, need to determine its effects on
virtualization, if any.
2019-07-04 19:24:44 +02:00
Joachim Fasting
c233e24d54
nixos/hardened: disable ftrace by default 2019-07-04 19:24:41 +02:00
Joachim Fasting
48ff4f1197
nixos/hardened: use graphene-hardened malloc by default 2019-05-07 13:45:39 +02:00
Elis Hirwing
d1c2805eb5
profiles/graphical.nix: Enable pulseaudio for virtualbox appliances 2019-02-22 07:23:59 +01:00
danbst
27982b408e types.optionSet: deprecate and remove last usages 2019-01-31 00:41:10 +02:00
Profpatsch
c8c53fcb11 modules/profiles/minimal: sound is disabled by default
The option is `false` by default since
e349ccc77f, so we don’t need to mention
it explicitely in these minimal configs.
2019-01-13 13:47:36 +01:00
Joachim Fasting
167578163a
nixos/hardened profile: always enable pti 2019-01-05 14:07:39 +01:00
Joachim Fasting
3f1f443125
nixos/hardened profile: slab/slub hardening
slab_nomerge may reduce surface somewhat

slub_debug is used to enable additional sanity checks and "red zones" around
allocations to detect read/writes beyond the allocated area, as well as
poisoning to overwrite free'd data.

The cost is yet more memory fragmentation ...
2019-01-05 14:07:37 +01:00
Joachim Fasting
ea4f371627
nixos/security/misc: expose SMT control option
For the hardened profile disable symmetric multi threading.  There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however.  This is in keeping with OpenBSD
defaults.

TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation.  Write to
/sys/devices/system/cpu/smt/control
2018-12-27 15:00:49 +01:00
Joachim Fasting
e9761fa327
nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
2018-12-27 15:00:48 +01:00
Joachim Fasting
84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Graham Christensen
6db866cbd2
Revert "zfs cannot be distributed. Disabling it in the isos."
ZFS's popularity is growing, and not including it by default is a
bit frustrating. On top of that, the base iso includes ZFS
_anyway_ due to other packages depending upon it.

I think we're in the clear to do this on the basis that Oracle
probably doesn't care, it is probably fine (the SFLC agrees) and
we're a small fish. If a copyright holder asks us to, we can
definitely revert it again.

This reverts commit 33d07c7ea9.
2018-11-26 17:51:18 -05:00
Ding Xiang Fei
b011049cf6 Merge branch 'master' of https://github.com/nixos/nixpkgs into tarball-closureinfo 2018-11-26 12:04:07 +08:00
Joachim Fasting
6a7f02d89d
nixos/hardened: restrict access to nix daemon 2018-11-24 16:06:21 +01:00
Ding Xiang Fei
ceececbd04 Merge branch 'master' of https://github.com/nixos/nixpkgs into tarball-closureinfo 2018-11-14 12:32:28 +08:00
Ding Xiang Fei
4259f7575e use closure-info for building system tarball 2018-11-07 12:52:53 +08:00
Eelco Dolstra
be6e4b8af8
Merge pull request #49326 from c0bw3b/nixos/installation-device
nixos/installation-device: set GC initial heap size to 1MB
2018-10-30 14:13:59 +01:00
Matthew Bauer
a943bc9e04
Merge pull request #48801 from matthewbauer/cloneConfigExtra
ova: add cloneConfigExtra option
2018-10-28 19:05:16 -05:00
Renaud
fc476599ad
installation-device: set GC initial heap size to 1MB
100000 (100kB) is too aggressive (too low) and gets ignored by the GC
See issue #43339
2018-10-28 10:48:00 +01:00
Tuomas Tynkkynen
cc92fc0a83 nixos/installation-device: Move systemPackages additions to profiles/base
Other package additions are there as well.
2018-10-27 15:17:13 +03:00
Tuomas Tynkkynen
717206010f nixos/installer: Drop extra copy of w3m
The nixos-manual service already uses w3m-nographics for a variant that
drops unnecessary junk like various image libraries.

iso_minimal closure (i.e. uncompressed) goes from 1884M -> 1837M.
2018-10-27 13:16:30 +03:00
Matthew Bauer
1902adb437 ova: add cloneConfigExtra option
Customize virtualbox ovas to contain a clone config option giving some
useful hints.

Fixes #38429
2018-10-21 14:52:49 -05:00
Joachim F
205aff5a65
Merge pull request #48439 from joachifm/hardened-misc
nixos/security/misc: init
2018-10-15 21:25:42 +00:00
Joachim Fasting
f4ea22e5de
nixos/security/misc: init
A module for security options that are too small to warrant their own module.

The impetus for adding this module is to make it more convenient to override
the behavior of the hardened profile wrt user namespaces.
Without a dedicated option for user namespaces, the user needs to
1) know which sysctl knob controls userns
2) know how large a value the sysctl knob needs to allow e.g.,
   Nix sandbox builds to work

In the future, other mitigations currently enabled by the hardened profile may
be promoted to options in this module.
2018-10-15 23:11:37 +02:00
Joachim Fasting
cb845123d4
nixos/hardened: add myself to maintainers 2018-10-15 01:33:33 +02:00
aszlig
c5bb43188d
nixos: Fix eval error for documentation.nixos
Introduced by 0f3b89bbed.

If services.nixosManual.showManual is enabled and
documentation.nixos.enable is not, there is no
config.system.build.manual available, so evaluation fails. For example
this is the case for the installer tests.

There is however an assertion which should catch exactly this, but it
isn't thrown because the usage of config.system.build.manual is
evaluated earlier than the assertions.

So I split the assertion off into a separate mkIf to make sure it is
shown appropriately and also fixed the installation-device profile to
enable documentation.nixos.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @oxij
2018-09-25 23:39:44 +02:00
Michael Raskin
61abf3bbd9
Merge pull request #47298 from oxij/nixos/doc-in-installer
nixos: fix fallout from #46193
2018-09-25 09:00:43 +00:00
xeji
bc22265e65
Merge pull request #47296 from matthewbauer/closure-size-reductions
ISO/OVA closure size reductions
2018-09-24 23:21:02 +02:00
Jan Malakhovski
1a6ce11518 nixos: doc: fix minimal profile and installer configs 2018-09-24 21:07:59 +00:00
Matthew Bauer
2b7d6e463e nixos: don’t enableQt4Support for installer profile
This is already done in
installer/cd-dvd/installation-cd-graphical-kde.nix but not in
profiles/graphical.nix. Related to #47256.
2018-09-24 15:07:25 -05:00
Samuel Dionne-Riel
ebf041d4bd
Merge pull request #46193 from oxij/nixos/manual-to-doc
nixos: doc: implement #12542
2018-09-24 00:09:23 -04:00
Jan Malakhovski
0f3b89bbed nixos: doc: move non-service parts of service.nixosManual to documentation.nixos 2018-09-23 20:50:47 +00:00
Matthew Bauer
94bec239d5 nixos: make firefox default browser
Without this the graphical installer has no way to open the manual.
You can fix it yourself by installing any HTML browser but this might
be unfamiliar to users new to NixOS and without any other way to open
the manual. The downside is it will also increase download sizes.

Fixes #46537
2018-09-22 23:33:16 -05:00
volth
d4ef7c6772 usb-storage -> uas
Following up https://github.com/NixOS/nixpkgs/pull/23665

Bootable USB-drives are not limited to ISO-images, there can be "normal" MBR/GPT-partitioned disk connected via USB-rack.
Also, "uas" implies "usb-storage", so there is no need to mention both.
2018-08-23 01:42:34 +00:00
Tuomas Tynkkynen
58dc26180f nixos: Fix iso_graphical evaluation
I broke it:
in job ‘nixos.iso_graphical.x86_64-linux’:
The option `services.udisks2.enable' has conflicting definitions, in `/nix/store/bwcjw1ddj94q83vbbnq1nnrs5aisaw59-source/nixos/modules/profiles/installation-device.nix' and `/nix/store/bwcjw1ddj94q83vbbnq1nnrs5aisaw59-source/nixos/modules/services/x11/desktop-managers/plasma5.nix'.
2018-08-17 07:43:58 +03:00
Tuomas Tynkkynen
571fb74f44 installer: Disable udisks
Due to whoever-knows-what, udisks nowadays pulls in GTK+ et al. But it
shouldn't be needed anyway in the installer, so disable it.
2018-08-17 06:56:51 +03:00
Bob van der Linden
e1da32d887 set initialHashedPassword in installation-device.nix 2018-08-07 14:45:50 +02:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
volth
87f5930c3f [bot]: remove unreferenced code 2018-07-20 18:48:37 +00:00
Florian Klink
fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Tuomas Tynkkynen
91117f0d1d nixos/installer: Drop dmraid
This seems some obsolete software RAID configuration program that hasn't
been updated since 2010.
2018-05-25 01:55:51 +03:00
Nikolay Amiantov
e711da345c base profile: add mkpasswd to system packages
Allows the user to generate password hashes for the installed system easier.
2018-05-09 00:20:02 +03:00
Michael Raskin
b07ce1fb74
Merge pull request #38114 from oxij/nixos/doc-module
nixos: doc module
2018-04-05 07:09:32 +00:00
Graham Christensen
9b30d48b2b
Merge pull request #37288 from cleverca22/improve-make-tarball
make-system-tarball: allow alternate compression methods
2018-04-04 10:11:25 -04:00
Michael Bishop
3c9e579d1e
make-system-tarball: allow alternate compression methods 2018-04-03 11:30:43 -03:00
Jan Malakhovski
98fd9b7f86 nixos: doc: introduce documentation config subtree 2018-03-30 06:52:26 +00:00
volth
f68871764d treewide: replace depecated alias s/mssys/ms-sys/g 2018-03-22 10:13:21 +00:00
Matthew Bauer
1e621ff423 demo: autologin through xserver
also disable upower on virtualbox
Fixes #36348
2018-03-05 14:48:01 -06:00
Eelco Dolstra
b14d9e1568
Add jq to the installation media
This is required by closureInfo.
2018-02-27 20:20:37 +01:00
Shea Levy
943592f698
Add setFunctionArgs lib function.
Among other things, this will allow *2nix tools to output plain data
while still being composable with the traditional
callPackage/.override interfaces.
2018-01-31 14:02:19 -05:00
Franz Pletz
e2fe111d46
nixos/profiles/all-hardware: remove unavailable modules 2017-12-29 11:37:21 +01:00
Tuomas Tynkkynen
f3794bb8cb nixos/qemu-guest: Ensure virtio_mmio is available in initrd
ARM and AArch64 might use virtio_mmio in some cases.
2017-11-26 11:22:39 +02:00
Franz Pletz
3855b7977c
nixos: clean up kernel modules
* the keyboard modules in all-hardware.nix are already defaults of
   boot.initrd.availableKernelModules
 * ide modules, hid_lenovo_tpkbd and scsi_wait_scan have been removed
   because they're not available anymore
 * i8042 was a duplicate (see few lines abowe)
2017-10-07 01:48:03 +02:00
Franz Pletz
3d040f9305
nixos/install: disable kernel debug console logging
Add another option for debugging instead. Lots of users have been
complaining about this default behaviour.

This patch also cleans up the EFI bootloader entries in the ISO.
2017-09-23 20:03:19 +02:00
Michael Weiss
351f5fc585 fuse3: init at 3.1.1
This includes fuse-common (fusePackages.fuse_3.common) as recommended by
upstream. But while fuse(2) and fuse3 would normally depend on
fuse-common we can't do that in nixpkgs while fuse-common is just
another output from the fuse3 multiple-output derivation (i.e. this
would result in a circular dependency). To avoid building fuse3 twice I
decided it would be best to copy the shared files (i.e. the ones
provided by fuse(2) and fuse3) from fuse-common to fuse (version 2) and
avoid collision warnings by defining priorities. Now it should be
possible to install an arbitrary combination of "fuse", "fuse3", and
"fuse-common" without getting any collision warnings. The end result
should be the same and all changes should be backwards compatible
(assuming that mount.fuse from fuse3 is backwards compatible as stated
by upstream [0] - if not this might break some /etc/fstab definitions
but that should be very unlikely).

My tests with sshfs (version 2 and 3) didn't show any problems.

See #28409 for some additional information.

[0]: https://github.com/libfuse/libfuse/releases/tag/fuse-3.0.0
2017-09-21 23:59:46 +02:00
Joachim Fasting
8aa0618cf0
nixos/hardened: blacklist a few obscure net protocols 2017-09-09 17:37:17 +02:00
Joachim Fasting
2bce0b13e7
nixos/hardened: set mmap_min_addr
This is set in the hardened linux config as well but sysctl is more
flexible & works with any boot.kernelPackages
2017-09-09 17:37:15 +02:00
Graham Christensen
1b68193167
profiles/graphical.nix: enable libinput over synaptics 2017-08-30 20:25:11 -04:00
Vladimír Čunát
dc93744273
rogue: omit from the installation media
At least for now.  It would increase the ISO size by ~10 MB,
after the fixup in the parent commit.
2017-08-29 16:15:15 +02:00
Joachim Fasting
c0769dc6ef
nixos/hardened profile: increase ASLR entropy 2017-08-13 21:44:13 +02:00
volth
870375e19d all-hardware.nix: add VMware support. (#27430)
NixOS does not boot in VMware guest without these modules
2017-07-17 02:38:10 +02:00
André-Patrick Bubel
d859769f26 nixos: replaced "userns" with "user namespaces" for clarity
"userns" wasn't introduces as an abbreviation elsewhere as far as I can see, and I wasn't sure what was meant at first.
2017-06-22 22:04:34 +02:00
Jörg Thalheim
e697585675
hardware.enableRedistributableFirmware: fix spelling error 2017-05-09 20:13:15 +01:00
Jörg Thalheim
05aa80c06a
hardware: add enableRedistributalFirmware
Due the recent inclusion of broadcom-bt-firmware in enableAllFirmware,
it was required to set `nixpkgs.config.allowUnfree` to obtain the full
list. To make this dependency more explicit an assertion is added and an
alternative option `enableRedistributalFirmware` is provided to only
obtain firmware with an license allowing redistribution.
2017-05-09 15:29:08 +01:00
Joachim Fasting
a1678269f9
nixos/hardened profile: disable user namespaces at runtime 2017-04-30 15:17:27 +02:00
Joachim Fasting
1dd3ba924b
nixos/hardened profile: disable hibernation
Recommended by KSPP
2017-04-30 12:06:11 +02:00
Joachim Fasting
8c98e8ca2f
nixos/hardened profile: use the linux_hardened kernel 2017-04-30 12:05:40 +02:00
Joachim Fasting
6a5a5728ee
nixos/hardened profile: lock kernel modules 2017-04-30 12:05:38 +02:00
Joachim Fasting
63433537ce
nixos/hardened profile: disable legacy virtual syscalls
This eliminates a theoretical risk of ASLR bypass due to the fixed address
mapping used by the legacy vsyscall mechanism.  Modern glibc use vdso(7)
instead so there is no loss of functionality, but some programs may fail
to run in this configuration.  Programs that fail to run because vsyscall
has been disabled will be logged to dmesg.

For background on virtual syscalls see https://lwn.net/Articles/446528/

Closes https://github.com/NixOS/nixpkgs/pull/25289
2017-04-29 17:27:11 +02:00
Joachim Fasting
063ac40304
nixos: add a "hardened" profile
The idea is to provide a convenient way to enable most vanilla hardening
features in one go.  The hardened profile, then, will serve as a place for
features that enhance security but cannot be enabled for all deployments
because they interfere with legitimate use cases (e.g., using ptrace to
debug problems in an already running process).

Closes https://github.com/NixOS/nixpkgs/pull/24680
2017-04-23 11:00:52 +02:00
Thomas Tuegel
8e6bdcc731
nixos: fix renaming warning in graphical profile 2017-03-03 07:27:41 -06:00
Graham Christensen
b12564cc1b
nixos: update default cases from KDM/KDE4 to SDDM/KDE5 2017-02-09 21:52:00 -05:00
taku0
8dfa60ce73 nixos-generate-config.pl, all-hardware.nix: Add support for Hyper-V 2017-02-05 18:22:26 +09:00
Pascal Bach
01fd86723c install-device: correct command to start sshd 2017-01-25 21:09:31 +01:00
Pascal Bach
03ef04f0a4 install-device: permit root login with password
Allow password login to the installation this allows doing remote installation
via SSH. All that need to be done on the local machine is:
1. Boot from the installation media
2. Set a password with passwd
3. Enable SSH with systemctl start sshd

It is safe as root doesn't have a password by default
and SSH is disabled by default.

Fixes #20718
2017-01-25 21:09:31 +01:00
Tuomas Tynkkynen
b63f97c6e6 installer: Include stdenvNoCC
And don't include ArchiveCpio as that one is no longer needed after
5a8147479 ("make-initrd: create reproducible initrds").
2017-01-23 23:49:18 +02:00
Robin Gloster
f4f4200d9a
install-devices: add vim
This moves vim to the install-device profile to add vim to netboot, too.

Fixes #20013 (see discussion there for further information)
2017-01-18 17:57:31 +01:00
Franz Pletz
88908145ea
nixos installer: don't log refused packets to console
Fixes #19764.
2017-01-09 19:24:41 +01:00
Lluís Batlle i Rossell
33d07c7ea9 zfs cannot be distributed. Disabling it in the isos.
It seems that it is a GPL violation to distribute zfs in the
installation ISOs.

https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/

If anyone knows the issue better and has a reason to reenable it
legally, feel free to reenable it. I don't know much about it.
2016-12-28 14:57:06 +01:00
Franz Pletz
da600849e3
nixos: disable sound for minimal ISO
Saves a few megabytes of ALSA stuff.
2016-11-23 02:24:13 +01:00
Franz Pletz
f983743d75
w3m-nox: use imlib2 without X11 support
Also, the minimal live CD previously installed both the X11 and
non-X11 versions (through services.nixosManual) of w3m.
2016-11-23 02:24:12 +01:00
Franz Pletz
ffac67fcf3
nixos/base: don't include dar & cabextract in ISO
Should free up lots of space due to dependency on gnupg, which dpeends on
openldap which pull in gcc.
2016-11-23 02:24:11 +01:00
Bjørn Forsman
32efdb7128 treewide: sshfsFuse -> sshfs-fuse 2016-09-18 17:44:30 +02:00
Eelco Dolstra
ab49ebe6fa Make it possible to disable "info" 2016-09-05 14:53:27 +02:00
Eelco Dolstra
5e5df88457 modules/profiles/minimal.nix: Disable "man" 2016-09-05 14:53:27 +02:00
Eric Sagnes
9236eedbc3 documentation: fix start display-manager command
[Bjørn: The 'start' alias was removed in commit 1d9651e723
("Remove systemd shell aliases").]
2016-07-04 10:25:31 +02:00
Tuomas Tynkkynen
60f5659dad treewide: Use correct output in ${config.nix.package}/bin 2016-04-25 16:44:37 +02:00
Eelco Dolstra
0729f60697 Remove "which" from base.nix 2016-04-18 14:20:49 +02:00
Eelco Dolstra
cd396076ec Revert "Revert "Remove which -> type -P alias.""
This reverts commit ddd480ac30. Gave it
some more thought.
2016-04-18 14:20:49 +02:00
Vladimír Čunát
d1df28f8e5 Merge 'staging' into closure-size
This is mainly to get the update of bootstrap tools.
Otherwise there were mysterious segfaults:
https://github.com/NixOS/nixpkgs/pull/7701#issuecomment-203389817
2016-04-07 14:40:51 +02:00
Vladimír Čunát
ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Eelco Dolstra
1783e33b06 Fix the boot-ec2-config test 2016-03-30 22:22:40 +02:00
Eelco Dolstra
ddd480ac30 Revert "Remove which -> type -P alias."
This reverts commit e8e8164f34. I
misread the original commit as adding the "which" package, but it only
adds it to base.nix. So then the original motivation (making it work
in subshells) doesn't hold. Note that we already have some convenience
aliases that don't work in subshells either (such as "ll").
2016-03-25 17:17:07 +01:00
Vladimír Čunát
09af15654f Merge master into closure-size
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00
Domen Kožar
73ba0ae2de Remove which -> type -P alias.
Aliases are not the same as programs. They won't work in subshells.
It's better to just use which as it's only 88K.
2016-03-03 16:15:25 +00:00
Eelco Dolstra
806b27a297 qemu-guest.nix: Disable rngd
This gets rid of a zillion "rngd[N]: read error" messages during boot.
2016-02-23 11:56:09 +01:00
Vladimír Čunát
716aac2519 Merge branch 'staging' into closure-size 2016-01-19 09:55:31 +01:00
Robin Gloster
391c330042 wpa_supplicant service: jobs -> systemd.services
Fixes an occurence of `jobs` usage causing tests to fail to evaluate.

thanks @domenkozar
2016-01-06 03:58:39 +00:00
Tuomas Tynkkynen
9ac80c1f15 installation-cd-graphical: Enable the 'synaptics' touchpad driver
This is needed to get touchpad working in the installer on several
laptops. Tested on a Thinkpad X250.
2015-12-24 17:45:51 +02:00
Luca Bruno
a412927924 Merge remote-tracking branch 'origin/master' into closure-size 2015-11-25 21:37:30 +01:00
Roger Qiu
1ddbc20dac Change the preset networking.hostId to use mkDefault so it can be easily changed by the user later 2015-11-22 01:03:16 +11:00
Vladimír Čunát
5227fb1dd5 Merge commit staging+systemd into closure-size
Many non-conflict problems weren't (fully) resolved in this commit yet.
2015-10-03 13:33:37 +02:00
Jan Malakhovski
dddcec21fe nixos: add xfs support to profiles/minimal 2015-09-18 18:58:18 +00:00
Vladimír Čunát
7dc9450ed2 nixos/ISO profile: fix defaultLocales :-)
https://github.com/NixOS/nixpkgs/commit/eb4a88d8fd2#commitcomment-12527102
2015-08-06 12:30:38 +02:00
Eelco Dolstra
91e71725d4 Remove some obsolete references to <nixos> 2015-08-05 17:37:08 +02:00
rushmorem
d9c56c696f Replaces https://github.com/NixOS/nixpkgs/pull/8368 2015-06-17 19:26:17 +02:00
Rushmore Mushambi
8170e74d9f Revert "Make it possible to boot NixOS from a SCSI Disk on KVM" 2015-06-17 19:13:08 +02:00
rushmorem
ee3768b9ba Make it possible to boot NixOS from a SCSI Disk on KVM
Currently NixOS can't boot from a SCSI disk as a KVM Guest.
I found this out while installing it on the new [Linode KVM
platform](https://www.linode.com/docs/platform/kvm#custom-kernel-configuration).
2015-06-17 17:28:07 +02:00
Eelco Dolstra
e5db79a859 Move stuff to modules/profiles/installation-device.nix 2015-06-10 15:28:55 +02:00
Eelco Dolstra
6bf1853387 Don't include 4 editors in the minimal installation CD
Emphasis on "minimal".
2015-06-04 11:06:44 +02:00
Eelco Dolstra
2a1c342887 Disable the manual in the minimal profile 2015-05-26 20:20:53 +02:00
Vladimír Čunát
375bc8def7 Merge staging into closure-size 2015-05-05 11:49:03 +02:00
Ricardo M. Correia
f5e7190572 nixos.system_tarball_pc: Fix evaluation
It was broken due to 57b05765c9.

ZFS requires `networking.hostId` to be set.
2015-04-28 17:15:02 +02:00
Eelco Dolstra
19366a10fc Remove redundant i18n.supportedLocales setting
This is already set in profiles/minimal.nix.

Probably fixes #7589.
2015-04-27 19:21:28 +02:00
Vladimír Čunát
e81e2785c7 xfsprogs: fix outputs and references 2015-04-21 09:02:40 +02:00
Eelco Dolstra
650492c5c8 minimal.nix: Get rid of most Glibc locales
This cuts ~100 MB from the system closure.

Issue #7117.
2015-04-20 11:32:28 +02:00
Eelco Dolstra
3d2b24d161 Remove pciutils and usbutils from the default system path
Issue #7117.
2015-04-20 11:21:20 +02:00
Eelco Dolstra
2b6d011bec Include cifs-utils only when needed
Issue #7117.
2015-04-19 22:06:45 +02:00
Eelco Dolstra
1cb5583c05 container.nix -> docker-container.nix 2015-04-19 22:06:45 +02:00
Eelco Dolstra
57b05765c9 Don't include ntfs-3g by default
Issue #7117.
2015-04-19 22:06:45 +02:00
Tuomas Tynkkynen
25062f56d4 Installation CD: automatic log in at virtual consoles 2015-04-14 12:51:24 +03:00
William A. Kennington III
20d2092ff8 nixos/base: Add efi management utilities 2015-01-07 01:52:47 -08:00
Jaka Hudoklin
d8ee91cb54 nixos: container profile, fix a few things 2014-12-12 20:28:01 +01:00
Jaka Hudoklin
f2e20fa837 nixos: container profile, update /init symlink on rebuild 2014-12-12 02:55:23 +01:00
Jaka Hudoklin
deb28cf0b1 nixos: container tarball release
- Create container nixos profile
- Create lxc-container nixos config using container nixos profile
- Docker nixos image, use nixos profile for its base config
2014-12-11 23:17:27 +01:00
William A. Kennington III
5ae216558f jfsrec: Remove derivation 2014-11-02 17:22:27 -08:00
Eelco Dolstra
585983bc95 Merge remote-tracking branch 'origin/staging'
Conflicts:
	pkgs/applications/version-management/subversion/default.nix
2014-09-08 11:42:09 +02:00
Eelco Dolstra
1f7c775910 Remove unrar from the installation CD since it's unfree 2014-09-05 14:25:17 +02:00
Vladimír Čunát
e51f73652d Merge recent master into staging
Hydra: ?compare=1149952

Conflicts:
	nixos/doc/manual/configuration.xml (changed split file)
	nixos/modules/config/users-groups.nix (choosing filterNull instead of inline definition)
	pkgs/development/libraries/readline/readline6.3.nix (auto-solved)
2014-08-30 10:04:02 +02:00
Eelco Dolstra
a323d146b7 Add user attribute isNormalUser
This is shorthand for setting group, createHome, home, useDefaultShell
and isSystemUser.
2014-08-15 02:16:04 +02:00
Vladimír Čunát
02cb604fd6 initrd.availableKernelModules: add support for keyboards
As explained in #2169, some keyboards need special drivers,
so these are always added, both on installation and normal systems.
2014-08-12 20:00:01 +02:00
Eelco Dolstra
5e96158234 Remove Subversion from the installation CD 2014-07-30 16:04:15 +02:00
Emery Hemingway
c96d5fe170 nixos: f2fs filesystem module support (close #2085) 2014-05-11 13:53:26 +02:00
Eelco Dolstra
4a08f37206 Don't start getty@tty1 on headless machines (like EC2)
Backport: 14.04
2014-05-05 16:47:36 +02:00
Eelco Dolstra
be0f5eb45c qemu-guest.nix: Load virtio_rng
This allows the guest to have a paravirtualized RNG, if the host
provides it.
2014-04-30 18:23:42 +02:00
Eelco Dolstra
150d3b0095 no-x-libs.nix: Disable su xauth forwarding, and X11 dependency in dbus 2014-04-16 16:58:06 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Shea Levy
452a1f9318 Revert "Turn on user-controlled wpa-cli on the livecd"
user-controlled wpa-cli requires explicit interface setting for some
reason

This reverts commit c6797b373f.
2014-04-08 18:26:52 -04:00
Shea Levy
c6797b373f Turn on user-controlled wpa-cli on the livecd
Fixes #1204
2014-04-04 17:05:57 -04:00
Eelco Dolstra
1c192e1fea Another attempt to fix the installer test
http://hydra.nixos.org/build/9904133
2014-03-30 16:53:23 +02:00
Domen Kožar
ee14f8da9a remove references to isSystemUser and fix eval of tested job 2014-02-08 21:10:00 +01:00
Eelco Dolstra
657c8d9ea7 Hack to work around the lack of isPath 2013-10-28 22:45:57 +01:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00