Commit Graph

1331 Commits

Author SHA1 Message Date
aszlig
46f7dd436f
nixos/confinement: Allow to configure /bin/sh
Another thing requested by @edolstra in [1]:

  We should not provide a different /bin/sh in the chroot, that's just
  asking for confusion and random shell script breakage. It should be
  the same shell (i.e. bash) as in a regular environment.

While I personally would even go as far to even have a very restricted
shell that is not even a shell and basically *only* allows "/bin/sh -c"
with only *very* minimal parsing of shell syntax, I do agree that people
expect /bin/sh to be bash (or the one configured by environment.binsh)
on NixOS.

So this should make both others and me happy in that I could just use
confinement.binSh = "${pkgs.dash}/bin/dash" for the services I confine.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:05 +01:00
aszlig
0ba48f46da
nixos/systemd-chroot: Rename chroot to confinement
Quoting @edolstra from [1]:

  I don't really like the name "chroot", something like "confine[ment]"
  or "restrict" seems better. Conceptually we're not providing a
  completely different filesystem tree but a restricted view of the same
  tree.

I already used "confinement" as a sub-option and I do agree that
"chroot" sounds a bit too specific (especially because not *only* chroot
is involved).

So this changes the module name and its option to use "confinement"
instead of "chroot" and also renames the "chroot.confinement" to
"confinement.mode".

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:03 +01:00
aszlig
ac64ce9945
nixos: Add 'chroot' options to systemd.services
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.

However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.yourservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      chroot.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.

In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".

Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.

However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).

Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.

Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.

[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
     to make room for a *real* "full" confinement mode, which is more
     restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:01 +01:00
Martin Weinelt
a978d3dcd2
nixos/knot: init 2019-03-14 01:28:53 +01:00
Jascha Geerds
ffedc3e4a9 misc: Remove myself from list of maintainers
Unfortunately I don't have the time anymore to maintain those
packages.
2019-03-12 23:50:52 +01:00
Johan Thomsen
968d3c9c05 nixos/gitlab: improved test to check download of repository archives 2019-03-12 15:04:45 +00:00
Markus Kowalewski
62ea707e31
nixos/tests: make slurm test more reliable 2019-03-09 22:31:40 +01:00
Andreas Rammhold
219b247e5b
Merge pull request #56607 from andir/cryptsetup-2.1
cryptsetup: 2.0.6 -> 2.1.0
2019-03-06 16:55:26 +01:00
Antoine Eiche
af23d1e2e7 nixos/test/docker-tools: fix Nix image digest 2019-03-06 09:26:33 +01:00
Andreas Rammhold
839a37fdd2
nixos/tests/installer: add cryptsetup tests for LUKS format 2 & default format 2019-03-02 13:56:52 +01:00
hyperfekt
3731835efc nixos/fish: generate autocompletions from man pages 2019-02-27 12:23:48 +01:00
xeji
0a63b6528b
Merge pull request #55547 from delroth/fix-warnings
Fix 3 warnings in nixos/tests
2019-02-25 16:01:42 +01:00
Nikita Uvarov
131e31cd1b
sshd: fix startWhenNeeded and listenAddresses combination
Previously, if startWhenNeeded was set, listenAddresses option was
ignored and daemon was listening on all interfaces.
Fixes #56325.
2019-02-25 00:51:58 +01:00
Aaron Andersen
c5ddcfe69f nixos/beanstalkd: update test to use python3 instead of python2 2019-02-22 15:00:20 -05:00
Florian Friesdorf
fbef5ab82f Remove myself as maintainer from packages
I'm currently not maintaining any packages.
2019-02-22 16:14:13 +01:00
aanderse
e5405f9ae8 nixos/beanstalkd: new service for existing package (#55953) 2019-02-22 14:10:02 +01:00
Robert Schütz
3382d93982 home-assistant-cli: 0.5.0 -> 0.6.0 2019-02-21 14:03:35 +01:00
Johan Thomsen
6045068f6c
nixos/kubernetes: (test) Fix race-condition in test cases. docker load might fail due to dockerd restarting 2019-02-20 21:08:57 +01:00
Johan Thomsen
466beb0214
nixos/kubernetes: let flannel use kubernetes as storage backend
+ isolate etcd on the master node by letting it listen only on loopback
+ enabling kubelet on master and taint master with NoSchedule

The reason for the latter is that flannel requires all nodes to be "registered"
in the cluster in order to setup the cluster network. This means that the
kubelet is needed even at nodes on which we don't plan to schedule anything.
2019-02-20 21:08:56 +01:00
Johan Thomsen
e2380e79e1
nixos/kubernetes: major module refactor
- All kubernetes components have been seperated into different files
- All TLS-enabled ports have been deprecated and disabled by default
- EasyCert option added to support automatic cluster PKI-bootstrap
- RBAC has been enforced for all cluster components by default
- NixOS kubernetes test cases make use of easyCerts to setup PKI
2019-02-20 21:08:01 +01:00
Frederik Rietdijk
6fe10d2779 Merge master into staging-next 2019-02-16 09:29:54 +01:00
Jaka Hudoklin
5ae048071d
Merge pull request #55649 from johanot/flannel-with-kubernetes-backend
nixos/flannel: add kubernetes as storage backend (and fix test)
2019-02-15 19:55:56 +01:00
Samuel Dionne-Riel
98419a0f64 nixos/tests/switch-test: Ensures the test fails on failure (#55744)
The `| tee` invocation always masked the return value of the
switch-to-configuration test.

```
~ $ false | tee && echo "oh no"
oh no
```

The added wrapper script will still output everything to stderr, while
passing failures to the test harness.
2019-02-14 22:55:16 +01:00
Silvan Mosberger
b1bda29f5c
Merge pull request #55517 from florianjacob/cups-fix-ssl-dir
nixos/cups: Fix Unable to encrypt connection:
2019-02-14 21:19:57 +01:00
Florian Jacob
33b3272692 nixos/cups: Fix Unable to encrypt connection:
Unable to create server credentials
by creating /var/lib/cups/ssl directory.
2019-02-14 20:43:26 +01:00
Frederik Rietdijk
7257dedd7c Merge master into staging-next 2019-02-13 12:33:29 +01:00
Johan Thomsen
adc9da6178 nixos/flannel: fix flannel nixos test, add test to all-tests.nix 2019-02-12 18:26:39 +01:00
Florian Klink
e6df4dfe59
Merge pull request #54800 from nlewo/nova
Remove cloud-init from the Openstack image configuration
2019-02-11 22:23:32 +01:00
Antoine Eiche
ff31014687 nixos/tests/ec2: reuse ssh keys from ssh-keys.nix 2019-02-11 20:58:45 +01:00
Antoine Eiche
d190b204f0 Rename novaImage to openstackImage
People don't necessary know `nova` is related to Openstack (it is a
component of Openstack). So, it is more explicit to call it
`openstackImage`.
2019-02-11 20:58:44 +01:00
Pierre Bourdon
c0829a0859
nixos/tests/gitea: fix eval warnings
trace: warning: config.services.gitea.database.password will be stored as plaintext
        in the Nix store. Use database.passwordFile instead.

(Arguably, this shouldn't be a warning at all. But making it happy is
easier than having a debate on the value of this warning.)
2019-02-11 03:13:03 +01:00
Pierre Bourdon
f90a60a33c
nixos/tests/ndppd: fix eval warnings
trace: warning: The options services.ndppd.interface and services.ndppd.network will probably be removed soon,
please use services.ndppd.proxies.<interface>.rules.<network> instead.
2019-02-11 03:12:56 +01:00
Pierre Bourdon
4b959cd354
nixos/tests/rspamd: fix eval warnings
trace: warning: The option `services.rspamd.bindUISocket' defined in `<unknown-file>' has been renamed to `services.rspamd.workers.controller.bindSockets'.
trace: warning: The option `services.rspamd.bindSocket' defined in `<unknown-file>' has been renamed to `services.rspamd.workers.normal.bindSockets'.
trace: warning: The option `services.rspamd.workers.”rspamd_proxy".type` defined in `<unknown-file>' has enum value `proxy` which has been renamed to `rspamd_proxy`
2019-02-11 02:59:55 +01:00
Matthew Bauer
5c09d977c7 Merge remote-tracking branch 'origin/master' into staging 2019-02-09 12:14:06 -05:00
Ryan Mulligan
d2904c8fbd
Merge pull request #53442 from erictapen/osrm-test
nixos/tests: add osrm-backend test
2019-02-08 06:46:57 -08:00
Maximilian Bosch
6fb825b057 nixos/roundcube: add package option
With this option it's possible to specify a custom expression for
`roundcube`, i.e. a roundcube environment with third-party plugins as
shown in the testcase.
2019-02-08 13:35:09 +00:00
lewo
15e43d59cf
Merge pull request #55101 from lopsided98/hydra-update
hydra: 2018-08-07 -> 2019-02-01
2019-02-07 17:59:46 +01:00
Léo Gaspard
a59a9a7e60
Merge branch 'pr-55320'
* pr-55320:
  nixos/release-notes: mention breaking changes with matrix-synapse update
  nixos/matrix-synapse: reload service with SIGHUP
  nixos/tests/matrix-synapse: generate ca and certificates
  nixos/matrix-synapse: use python to launch synapse
  pythonPackages.pymacaroons-pynacl: remove unmaintained fork
  matrix-synapse: 0.34.1.1 -> 0.99.0
  pythonPackages.pymacaroons: init at 0.13.0
2019-02-07 17:12:04 +01:00
Maximilian Bosch
1649b4899f
nixos/hydra: enhance test for multiple Nix versions
Hydra should support multiple Nix versions (and currently contains fixes
to work with Nix 2.0 and higher).

Further Nix versions can be added to the `hydraPkgs` expression in the
test case which lists all supported Nix versions for Hydra.
2019-02-07 16:39:35 +01:00
nyanloutre
4a5f1bb9bc nixos/tests/matrix-synapse: generate ca and certificates 2019-02-06 16:21:07 +01:00
Peter Hoeg
7003a28916
Merge pull request #54541 from dotlambda/home-assistant-0.86
home-assistant: 0.85.1 -> 0.86.4
2019-02-06 09:02:28 +08:00
Silvan Mosberger
dfce20e4e3
Merge pull request #51980 from ToxicFrog/munin-plugins
nixos/munin: New options (and some bugfixes) for service configuration
2019-02-05 19:35:03 +01:00
Florian Klink
400aa7b86a minio: add test to nixos/tests/all-tests.nix 2019-02-05 17:38:34 +01:00
aanderse
b8a9c3fbfd redmine: 3.4.8 -> 4.0.1 (#55234)
* redmine: 3.4.8 -> 4.0.1

* nixos/redmine: update nixos test to run against both redmine 3.x and 4.x series

* nixos/redmine: default new installs from 19.03 onward to redmine 4.x series, while keeping existing installs on redmine 3.x series

* nixos/redmine: add comment about default redmine package to 19.03 release notes

* redmine: add aandersea as a maintainer
2019-02-05 11:51:33 +00:00
Ben Kelly
0c3208a8e4 nixos/munin: add disabledPlugins option
This is just a set of globs to remove from the active plugins directory
after autoconfiguration is complete.

I also removed the hard-coded disabling of "diskstats", since it seems
to work just fine now.
2019-02-04 20:17:26 -05:00
Maximilian Bosch
5a3a543078
Merge pull request #55122 from elseym/ndppd-module
ndppd module: refactor and fix
2019-02-04 21:51:00 +01:00
Pierre Bourdon
a8da72b012
nixos/tests/postgresql: fix regression from #55106 2019-02-04 03:56:43 +01:00
Maximilian Bosch
a29294cb95
nixos/ndppd: register test 2019-02-03 16:47:01 +01:00
Franz Pletz
f1b91b5726
nixos/tests: add ndppd test 2019-02-03 13:21:07 +01:00
Robert Schütz
f85453f060 nixos/home-assistant: add configWritable option 2019-02-03 13:08:11 +01:00
Danylo Hlynskyi
bd0bb9e497
postgresql test: fix (#55106)
Commit https://github.com/NixOS/nixpkgs/pull/55097 didn't modify all usages of postgresql/default.nix.

Also, replaced "random" pg with pg11. Random pg was always pg10.
2019-02-03 13:03:53 +02:00
Florian Klink
e84a23c5f7 neo4j: add neo4j test 2019-02-01 16:01:08 +01:00
Vladimír Čunát
8ba516664b
Merge branch 'staging-next' into staging 2019-02-01 09:42:53 +01:00
Jan Tojnar
65e6d80ecd
Merge pull request #53425 from dtzWill/update/fwupd-1.2.3
fwupd: 1.2.1 -> 1.2.3

Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
2019-01-31 23:22:38 +01:00
Florian Klink
d3c2ed21d0
Merge pull request #53762 from ju1m/nslcd
Improving integration of `nslcd`, PAM and `openldap`.
2019-01-30 19:34:40 +01:00
Robert Schütz
5acb21453f
Merge pull request #54904 from dotlambda/home-assistant-cli-0.4.2
home-assistant-cli: 0.3.0 -> 0.4.2
2019-01-30 09:18:24 +01:00
Robert Schütz
cfd556fd4a home-assistant-cli: 0.3.0 -> 0.4.2 2019-01-29 23:57:12 +01:00
Pierre Bourdon
20b1febace
nixos/tests: add nginx-sso basic functionality test 2019-01-29 19:54:14 +01:00
Wael Nasreddine
f072cfe1eb
nixos/pam: refactor U2F, docs about u2f_keys path (#54756)
* change enableU2F option to u2f.* set
* add few u2f options (not all) to customize pam-u2f module
* document default u2f_keys locations

Co-authored-by: Tomasz Czyż <tomasz.czyz@gmail.com>
Co-authored-by: Arda Xi <arda@ardaxi.com>
2019-01-29 08:45:26 -08:00
Robert Schütz
f908f6c982 nixos/home-assistant: don't run json2yaml at every start 2019-01-29 08:56:51 +01:00
Robert Schütz
7cc7c5374c nixos/home-assistant: add lovelaceConfig option 2019-01-29 08:56:51 +01:00
Antoine Eiche
849460f878 nova-image: add amazon-init module to the nova image
This allows the VM to provide a `configuration.nix` file to the VM.

The test doesn't work in sandbox because it needs Internet (however it
works interactively).
2019-01-28 14:44:41 +01:00
Florian Klink
38be383a6f
Merge pull request #53419 from uvNikita/containers/fix-bridge
nixos/containers: add bridge without address specified
2019-01-28 12:39:13 +01:00
Antoine Eiche
2858b35100 nova-image: use wget instead of cloud-init (via EC2 API)
The Openstack metadata service exposes the EC2 API. We use the
existing `ec2.nix` module to configure the hostname and ssh keys of an
Openstack Instance.

A test checks the ssh server is well configured.

This is mainly to reduce the size of the image (700MB). Also,
declarative features provided by cloud-init are not really useful
since we would prefer to use our `configuration.nix` file instead.
2019-01-28 11:59:18 +01:00
Jan Tojnar
dd06999e32
fwupd: fix installed tests 2019-01-28 00:15:00 +01:00
Will Dietz
55fa570046
fwupd: blacklist test plugin by default
Don't add the testing "webcam" device,
which is unexpected to see when querying
what devices fwupd believes exist :).

Won't change behavior for anyone defining
the blacklistPlugin option already,
but doesn't seem worth making more complicated.
2019-01-27 21:26:42 +01:00
Matthew Bauer
92f0f8dd68 Merge remote-tracking branch 'NixOS/master' into staging 2019-01-27 00:01:13 -05:00
Jörg Thalheim
ba34ffc665
Merge pull request #54619 from Mic92/remove-wkennington
treewide: remove wkennington as maintainer
2019-01-26 23:37:27 +00:00
Danylo Hlynskyi
4fb8bc8238
postgresql: cleanup postgis (#54396)
postgis: cleanup

Another part of https://github.com/NixOS/nixpkgs/pull/38698, though I did cleanup even more.
Moving docs to separate output should save another 30MB.

I did pin poppler to 0.61 just to be sure GDAL doesn't break again next
time poppler changes internal APIs.
2019-01-26 21:15:43 +02:00
Danylo Hlynskyi
8e985dced0
postgresql: reorganize package and its extensions (#54319)
* postgresql: reorganize package and it's extensions

Extracts some useful parts of https://github.com/NixOS/nixpkgs/pull/38698,
in particular, it's vision that postgresql plugins should be namespaced.
2019-01-26 19:46:57 +02:00
Jörg Thalheim
b5c1deca8a
treewide: remove wkennington as maintainer
He prefers to contribute to his own nixpkgs fork triton.
Since he is still marked as maintainer in many packages
this leaves the wrong impression he still maintains those.
2019-01-26 10:05:32 +00:00
Elis Hirwing
3df02c6c03
nixos/jackett: Add test for jackett to ensure startup 2019-01-25 07:12:41 +01:00
Elis Hirwing
eb356ef3f8
nixos/lidarr: Add test for lidarr to ensure startup 2019-01-25 07:12:08 +01:00
Elis Hirwing
ddcb2c473d
nixos/radarr: Add test for radarr to ensure startup 2019-01-25 07:11:28 +01:00
Elis Hirwing
8be2345baf
nixos/sonarr: Add test for sonarr to ensure startup 2019-01-25 07:10:40 +01:00
Justin Humm
694c351cc3
nixos/tests: add osrm-backend test 2019-01-25 00:43:34 +01:00
worldofpeace
4abc6ff9e8 nixos/tests/all-tests.nix: add pantheon 2019-01-24 17:33:05 -05:00
worldofpeace
78da8d668b pantheon: init a 5.0 2019-01-24 20:54:14 +00:00
Silvan Mosberger
d9f39b7252
Merge pull request #54310 from Mic92/postgresq-backup
nixos/postgresqlBackup: add backupAll option
2019-01-23 21:40:39 +01:00
Jörg Thalheim
ecd1129dee
nixos/telegraf: add test 2019-01-21 11:37:20 +00:00
Jörg Thalheim
1af4f366ca
nixos/postgresqlBackup: add backupAll option
For large setups it is useful to list all databases explicit
(for example if temporary databases are also present) and store them in extra
files.
For smaller setups it is more convenient to just backup all databases at once,
because it is easy to forget to update configuration when adding/renaming
databases. pg_dumpall also has the advantage that it backups users/passwords.

As a result the module becomes easier to use because it is sufficient
in the default case to just set one option (services.postgresqlBackup.enable).
2019-01-19 11:41:06 +00:00
Julien Moutinho
65cfba23af nixos/tests: test LDAP password changing through nslcd
NOTE: slapd.conf is deprecated, hence use cn=config.
2019-01-18 05:13:42 +01:00
Vladyslav M
95a0e24381
Merge pull request #53952 from Ma27/improve-gitea-module
nixos/gitea: minor fixes
2019-01-15 23:55:16 +02:00
Maximilian Bosch
ad3a50e25b
nixos/gitea: add option to disable registration
Although this can be added to `extraOptions` I figured that it makes
sense to add an option to explicitly promote this feature in our
documentation since most of the self-hosted gitea instances won't be
intended for common use I guess.

Also added a notice that this should be added after the initial deploy
as you have to register yourself using that feature unless the install
wizard is used.
2019-01-14 16:04:02 +01:00
elseym
8a8bf886b5
nixos/containers: explicitly set link up on host for extraVeths 2019-01-13 11:27:39 +01:00
Piotr Bogdan
cfc281f571 nixos/tests/kerberos: fix evaluation 2019-01-11 04:36:51 +00:00
Maximilian Bosch
44a80294f7
Merge pull request #53746 from zaninime/patch-1
nexus: 3.12.1 -> 3.14.0-04
2019-01-10 23:01:26 +01:00
Maximilian Bosch
edcd1494f7
nixos/nexus: increase disk size of VM test to 8GB
Nexus increased their default minimum disk space requirement to 4GB:

```
com.orientechnologies.orient.core.exception.OLowDiskSpaceException: Error occurred while executing a
write operation to database 'OSystem' due to limited free space on the disk (1823 MB). The database
is now working in read-only mode. Please close the database (or stop OrientDB), make room on your hard
drive and then reopen the database. The minimal required space is 4096 MB. Required space is now
set to 4096MB (you can change it by setting parameter storage.diskCache.diskFreeSpaceLimit) .
server# [   72.560866] zqnav3mg7m6ixvdcacgj7p5ibijpibx5-unit-script-nexus-start[627]:   DB name="OSystem"
```

Including the rest on the VM 8GB should be the most suitable solution.
As the installer test also takes 8GB of disk size this should still be
in an acceptable range.
2019-01-10 22:44:26 +01:00
lewo
7612a6add4
Merge pull request #52870 from xtruder/pkgs/dockerTools/buildLayeredImage/extraCommands
dockerTools: allow to pass extraCommands, uid and gid to buildLayered image
2019-01-10 19:00:19 +01:00
Jaka Hudoklin
954cda5c9d
dockerTools: allow to pass extraCommands, uid and gid to buildLayeredImage 2019-01-10 16:02:23 +01:00
Nikita Uvarov
53013ead39
nixos/containers: add bridge without address specified
According to systemd-nspawn(1), --network-bridge implies --network-veth,
and --port option is supported only when private networking is enabled.
Fixes #52417.
2019-01-07 14:21:17 +01:00
Joachim Fasting
e6538caa48
nixos/tests: re-enable hardened test
Has been okay since 62623b60d5
2019-01-06 14:08:20 +01:00
Joachim Fasting
39c30a33c1
nixos/tests/hardened: test loading out-of-tree-modules 2019-01-06 13:19:28 +01:00
Frederik Rietdijk
e5381cdece Merge master into staging-next 2019-01-06 09:36:23 +01:00
Jörg Thalheim
2614c8a6c5
nixos/xss-lock: specify a default locker
Having a default locker is less error-prone and more convenient.
Incorrect values might leave the machine vulnerable since there is no
fallback.
2019-01-05 16:42:30 +01:00
Frederik Rietdijk
9618abe87c Merge master into staging-next 2019-01-04 21:13:19 +01:00
Jean-Philippe Braun
4f99f8d2cb nixos/prometheus-bind-exporter: add module 2019-01-03 21:14:21 +01:00
Frederik Rietdijk
10afccf145 Merge staging-next into staging 2018-12-27 18:11:34 +01:00
Joachim Fasting
84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Jan Tojnar
ef935fa101
Merge branch 'master' into staging 2018-12-24 15:02:29 +01:00