3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

7396 commits

Author SHA1 Message Date
Michael Raskin 689916b98f Merge pull request #25337 from benley/nm-dnsmasq
nixos: optional NetworkManager dnsmasq integration
2017-04-30 12:18:34 +02:00
Joachim Fasting 1dd3ba924b
nixos/hardened profile: disable hibernation
Recommended by KSPP
2017-04-30 12:06:11 +02:00
Joachim Fasting ffa83edf4a
nixos/tests: add tests for exercising various hardening features
This test exercises the linux_hardened kernel along with the various
hardening features (enabled via the hardened profile).

Move hidepid test from misc, so that misc can go back to testing a vanilla
configuration.
2017-04-30 12:05:42 +02:00
Joachim Fasting ab4fa1cce4
tree-wide: prune some dead grsec leaves
The beginning of pruning grsecurity/PaX from the tree.
2017-04-30 12:05:41 +02:00
Joachim Fasting 8c98e8ca2f
nixos/hardened profile: use the linux_hardened kernel 2017-04-30 12:05:40 +02:00
Joachim Fasting 6a5a5728ee
nixos/hardened profile: lock kernel modules 2017-04-30 12:05:38 +02:00
Joachim Fasting 878ad1ce6e
nixos: add option to lock kernel modules
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.

The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.

The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session.  This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).

From an aestethic point of view, enabling this option helps make the
configuration more "declarative".

Closes https://github.com/NixOS/nixpkgs/pull/24681
2017-04-30 12:05:37 +02:00
Jörg Thalheim fa5196e47e Merge pull request #25005 from Lassulus/copytoram
nixos/stage1: add copytoram support
2017-04-30 11:22:45 +02:00
Benjamin Staffin 9827d5f95c
nixos: optional NetworkManager dnsmasq integration 2017-04-30 00:44:19 -07:00
Michael Weiss 852813689a desktop-managers: Use a black BG as fallback
Use a solid black background when no background image (via
~/.background-image) is provided. In my case this fixes the really
strange behaviour when i3 without a desktop manager starts with the SDDM
login screen as background image.
2017-04-29 19:03:30 +02:00
Joachim Fasting 63433537ce
nixos/hardened profile: disable legacy virtual syscalls
This eliminates a theoretical risk of ASLR bypass due to the fixed address
mapping used by the legacy vsyscall mechanism.  Modern glibc use vdso(7)
instead so there is no loss of functionality, but some programs may fail
to run in this configuration.  Programs that fail to run because vsyscall
has been disabled will be logged to dmesg.

For background on virtual syscalls see https://lwn.net/Articles/446528/

Closes https://github.com/NixOS/nixpkgs/pull/25289
2017-04-29 17:27:11 +02:00
Jörg Thalheim ffdc1b0ab0 Merge pull request #25310 from jerith666/command-not-found-is-a-dir
fix 'command-not-found: is a directory' error
2017-04-29 11:41:22 +02:00
Robin Gloster edb1ea055e
confluence module: needs bash for health checks 2017-04-29 11:15:59 +02:00
Matt McHenry 48a3e1a88d fix 'command-not-found: is a directory' error 2017-04-28 23:11:21 -04:00
Michael Weiss 1273f414a7 display-managers: Fix the xsession parameters
The xsession script was called with inconsistent (depending on the
display managers) and wrong parameters. The main reason for this where
the spaces the parameter syntax. In order to fix this the old syntax:
$1 = '<desktop-manager> + <window-manager>'
Will be replaced with a new syntax:
$1 = "<desktop-manager>+<window-manager>"

This assumes that neither "<desktop-manager>" nor "<window-manager>"
contain the "+" character but this shouldn't be a problem.

This patch also fixes the quoting by using double quotes (") instead of
single quotes (') [0].

Last but not least this'll add some comments for the better
understanding of the script.

[0]: https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html
2017-04-28 22:00:14 +02:00
lassulus 87a4615e27 nixos/stage1: add copytoram support 2017-04-28 20:48:09 +02:00
Pascal Wittmann c03d1df5b8 Merge pull request #25110 from iSma/fix/trackpoint-scrolling-etps-elantech
Add Elantech ETPS/2 Trackpoint (ThinkPad Yoga 260)
2017-04-28 15:46:39 +02:00
Domen Kožar 330e800496
nixos: hydra: sync with upstream hydra module 2017-04-28 14:51:25 +02:00
Joachim F 38c98d1072 Merge pull request #25128 from jb55/fix/plex-startup
plex: fix startup issue
2017-04-28 12:48:55 +01:00
Joachim F 0c40ea7340 Merge pull request #21227 from lheckemann/vgaswitcheroo
amd-hybrid-graphics: fix race condition
2017-04-28 12:47:00 +01:00
Joachim Fasting 32b8512e54
grsecurity: discontinue support
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1].  Consequently, we can no longer
responsibly support grsecurity on NixOS.

This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother.  For 17.09 all of it should
probably be pruned.

[1]: https://grsecurity.net/passing_the_baton.php
2017-04-28 12:35:15 +02:00
Alexey Shmalko a012b15f87 Merge pull request #25181 from indiscipline/aria2.service
Implement aria2 service for controlling a daemon via rpc.
2017-04-28 12:37:06 +03:00
Judson Lester 0d72629570 nixos/display-managers: Quote "$vars" (#25199) 2017-04-27 18:01:48 +02:00
Franz Pletz dab5f92ed5 Merge pull request #25210 from Ma27/zsh/refactor-syntax-highlighting
programs.zsh.syntax-highlighting: refactor `highlighters` option for proper validation
2017-04-27 17:37:43 +02:00
Andrew Martin e289b94fbe graphite service: no recursive chown when starting (#24442)
Fixes #24444
2017-04-27 17:33:42 +02:00
Kirill 64a7be7f3c Merge branch 'master' into aria2.service 2017-04-27 17:50:13 +03:00
Kirill 31c4498a47 Fix indentation. Fix openPorts option default to false. 2017-04-27 17:13:27 +03:00
Jörg Thalheim 7b96e3d6a7 Merge pull request #25245 from bachp/docker-proxy
docker: pass all proxy variables to docker daemon
2017-04-27 11:03:46 +02:00
Graham Christensen bdd89faebb
Revert "openvpn service: source up/down scripts"
This reverts commit 50ad243f78.
2017-04-26 12:32:59 -04:00
David McFarland 7deb425286 nixos: use pkgsi686Linux for pkgs_i686 (#24772) 2017-04-26 18:20:38 +02:00
Pascal Bach 846f36203c docker: pass all proxy variables to docker daemon
This makes things as noProxy work too.
2017-04-26 16:55:36 +02:00
Jörg Thalheim 9d3c118320
google-compute-image: append .raw.tar.gz suffix
This restores behavior of image generation before f1708a9d7d
2017-04-26 16:40:38 +02:00
Graham Christensen 5dd731b801
mysql test: test replication persists between slave stop / start cycle 2017-04-25 18:51:49 -04:00
Graham Christensen da0ef84c0c
mysql test: use OpenPort check over blind sleep 2017-04-25 18:51:46 -04:00
Daniel Peebles 1ec8afdfdc Merge pull request #25197 from copumpkin/azure-image-common
azure-image: switch to use the common make-disk-image.nix
2017-04-25 17:18:08 -04:00
Tristan Helmich 50ad243f78
openvpn service: source up/down scripts
source the up/down scripts instead of executing them to avoid loosing
access to special variables like $1
2017-04-25 13:18:54 -04:00
Eelco Dolstra e4190943c8
nix: 1.11.8 -> 1.11.9 2017-04-25 17:19:10 +02:00
Maximilian Bosch baa3b3efff
programs.zsh.syntax-highlighting: refactor highlighters option for proper validation
Right now the `programs.zsh.syntax-highlighting.highlighters` option
lacks appropriate validation which can cause confusing things when
mistyping a higlighter for zsh-syntax-highlighting.
2017-04-25 16:00:26 +02:00
Edward Tjörnhammar 45470c65f5
nixos: static ids for jackett, radarr, sonarr 2017-04-25 12:08:21 +02:00
aszlig 72f2b506c7
nixos/grub: Add another example for extraEntries
Someone on IRC wanted to boot Fedora from another disk. While I'm not
too familiar with UEFI booting in conjunction with GRUB2 it took some
time to get it to work.

So in order to safe others from frustration I'm adding this as another
example to the extraEntries option.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-04-25 08:50:43 +02:00
Dan Peebles ee2cffbdb4 azure-image: switch to use the common make-disk-image.nix 2017-04-25 02:59:13 +00:00
Graham Christensen 3ab98d0971 Merge pull request #24999 from grahamc/qemu
qemu module: add virtualisation.cores option
2017-04-24 21:30:39 -04:00
Daniel Peebles f2d1aa05de Merge pull request #25165 from copumpkin/google-image-common
google-compute-image: switch to use the common make-disk-image.nix
2017-04-24 18:30:26 -04:00
Данило Глинський (Danylo Hlynskyi) 84b1c0c481 Fix imperative container code examples
Since some time Nixos has firewall enabled by default, so update example.
Also, remove newline escaping (it isn't needed).

Closes https://github.com/NixOS/nixpkgs/issues/25174
2017-04-24 22:31:02 +02:00
Graham Christensen 4585fdb9d4
qemu module: add virtualisation.cores option
QEMU can allow guests to access more than one host core at a time.
Previously, this had to be done via ad-hoc arguments:

    virtualisation.qemu.options = ["-smp 12"];

Now you can simply specify:

    virtualisation.cores = 12;
2017-04-24 15:23:46 -04:00
Franz Pletz e74ea4282a
avahi service: add reflector option 2017-04-24 21:06:42 +02:00
Edward Tjörnhammar 0277345265
nixos, i2pd: remove, no longer needed, extip hack 2017-04-24 20:49:13 +02:00
Dan Peebles 9fae0f3f38 google-compute-image: switch to use the common make-disk-image.nix 2017-04-24 18:38:10 +00:00
Kirill 7a6738fefc Implement aria2 service for controlling a daemon via rpc. 2017-04-24 18:50:40 +03:00
Dan Peebles f1708a9d7d make-disk-image: change to be less VM-centric
This changes much of the make-disk-image.nix logic (and thus most NixOS
image building) to use LKL to set up the target directory structure rather
than a Linux VM. The only work we still do in a VM is less IO-heavy stuff
that while still time-consuming, is less of the overall load. The goal is
to kill more of that stuff, but that will require deeper changes to NixOS
activation scripts and switch-to-configuration.pl, and I don't want to
bite off too much at once.
2017-04-24 02:30:00 +00:00