Joachim Fasting
8aa0618cf0
nixos/hardened: blacklist a few obscure net protocols
2017-09-09 17:37:17 +02:00
Joachim Fasting
2bce0b13e7
nixos/hardened: set mmap_min_addr
...
This is set in the hardened linux config as well but sysctl is more
flexible & works with any boot.kernelPackages
2017-09-09 17:37:15 +02:00
Graham Christensen
1b68193167
profiles/graphical.nix: enable libinput over synaptics
2017-08-30 20:25:11 -04:00
Vladimír Čunát
dc93744273
rogue: omit from the installation media
...
At least for now. It would increase the ISO size by ~10 MB,
after the fixup in the parent commit.
2017-08-29 16:15:15 +02:00
Joachim Fasting
c0769dc6ef
nixos/hardened profile: increase ASLR entropy
2017-08-13 21:44:13 +02:00
volth
870375e19d
all-hardware.nix: add VMware support. ( #27430 )
...
NixOS does not boot in VMware guest without these modules
2017-07-17 02:38:10 +02:00
André-Patrick Bubel
d859769f26
nixos: replaced "userns" with "user namespaces" for clarity
...
"userns" wasn't introduces as an abbreviation elsewhere as far as I can see, and I wasn't sure what was meant at first.
2017-06-22 22:04:34 +02:00
Jörg Thalheim
e697585675
hardware.enableRedistributableFirmware: fix spelling error
2017-05-09 20:13:15 +01:00
Jörg Thalheim
05aa80c06a
hardware: add enableRedistributalFirmware
...
Due the recent inclusion of broadcom-bt-firmware in enableAllFirmware,
it was required to set `nixpkgs.config.allowUnfree` to obtain the full
list. To make this dependency more explicit an assertion is added and an
alternative option `enableRedistributalFirmware` is provided to only
obtain firmware with an license allowing redistribution.
2017-05-09 15:29:08 +01:00
Joachim Fasting
a1678269f9
nixos/hardened profile: disable user namespaces at runtime
2017-04-30 15:17:27 +02:00
Joachim Fasting
1dd3ba924b
nixos/hardened profile: disable hibernation
...
Recommended by KSPP
2017-04-30 12:06:11 +02:00
Joachim Fasting
8c98e8ca2f
nixos/hardened profile: use the linux_hardened kernel
2017-04-30 12:05:40 +02:00
Joachim Fasting
6a5a5728ee
nixos/hardened profile: lock kernel modules
2017-04-30 12:05:38 +02:00
Joachim Fasting
63433537ce
nixos/hardened profile: disable legacy virtual syscalls
...
This eliminates a theoretical risk of ASLR bypass due to the fixed address
mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7)
instead so there is no loss of functionality, but some programs may fail
to run in this configuration. Programs that fail to run because vsyscall
has been disabled will be logged to dmesg.
For background on virtual syscalls see https://lwn.net/Articles/446528/
Closes https://github.com/NixOS/nixpkgs/pull/25289
2017-04-29 17:27:11 +02:00
Joachim Fasting
063ac40304
nixos: add a "hardened" profile
...
The idea is to provide a convenient way to enable most vanilla hardening
features in one go. The hardened profile, then, will serve as a place for
features that enhance security but cannot be enabled for all deployments
because they interfere with legitimate use cases (e.g., using ptrace to
debug problems in an already running process).
Closes https://github.com/NixOS/nixpkgs/pull/24680
2017-04-23 11:00:52 +02:00
Thomas Tuegel
8e6bdcc731
nixos: fix renaming warning in graphical profile
2017-03-03 07:27:41 -06:00
Graham Christensen
b12564cc1b
nixos: update default cases from KDM/KDE4 to SDDM/KDE5
2017-02-09 21:52:00 -05:00
taku0
8dfa60ce73
nixos-generate-config.pl, all-hardware.nix: Add support for Hyper-V
2017-02-05 18:22:26 +09:00
Pascal Bach
01fd86723c
install-device: correct command to start sshd
2017-01-25 21:09:31 +01:00
Pascal Bach
03ef04f0a4
install-device: permit root login with password
...
Allow password login to the installation this allows doing remote installation
via SSH. All that need to be done on the local machine is:
1. Boot from the installation media
2. Set a password with passwd
3. Enable SSH with systemctl start sshd
It is safe as root doesn't have a password by default
and SSH is disabled by default.
Fixes #20718
2017-01-25 21:09:31 +01:00
Tuomas Tynkkynen
b63f97c6e6
installer: Include stdenvNoCC
...
And don't include ArchiveCpio as that one is no longer needed after
5a8147479
("make-initrd: create reproducible initrds").
2017-01-23 23:49:18 +02:00
Robin Gloster
f4f4200d9a
install-devices: add vim
...
This moves vim to the install-device profile to add vim to netboot, too.
Fixes #20013 (see discussion there for further information)
2017-01-18 17:57:31 +01:00
Franz Pletz
88908145ea
nixos installer: don't log refused packets to console
...
Fixes #19764 .
2017-01-09 19:24:41 +01:00
Lluís Batlle i Rossell
33d07c7ea9
zfs cannot be distributed. Disabling it in the isos.
...
It seems that it is a GPL violation to distribute zfs in the
installation ISOs.
https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/
If anyone knows the issue better and has a reason to reenable it
legally, feel free to reenable it. I don't know much about it.
2016-12-28 14:57:06 +01:00
Franz Pletz
da600849e3
nixos: disable sound for minimal ISO
...
Saves a few megabytes of ALSA stuff.
2016-11-23 02:24:13 +01:00
Franz Pletz
f983743d75
w3m-nox: use imlib2 without X11 support
...
Also, the minimal live CD previously installed both the X11 and
non-X11 versions (through services.nixosManual) of w3m.
2016-11-23 02:24:12 +01:00
Franz Pletz
ffac67fcf3
nixos/base: don't include dar & cabextract in ISO
...
Should free up lots of space due to dependency on gnupg, which dpeends on
openldap which pull in gcc.
2016-11-23 02:24:11 +01:00
Bjørn Forsman
32efdb7128
treewide: sshfsFuse -> sshfs-fuse
2016-09-18 17:44:30 +02:00
Eelco Dolstra
ab49ebe6fa
Make it possible to disable "info"
2016-09-05 14:53:27 +02:00
Eelco Dolstra
5e5df88457
modules/profiles/minimal.nix: Disable "man"
2016-09-05 14:53:27 +02:00
Eric Sagnes
9236eedbc3
documentation: fix start display-manager command
...
[Bjørn: The 'start' alias was removed in commit 1d9651e723
("Remove systemd shell aliases").]
2016-07-04 10:25:31 +02:00
Tuomas Tynkkynen
60f5659dad
treewide: Use correct output in ${config.nix.package}/bin
2016-04-25 16:44:37 +02:00
Eelco Dolstra
0729f60697
Remove "which" from base.nix
2016-04-18 14:20:49 +02:00
Eelco Dolstra
cd396076ec
Revert "Revert "Remove which -> type -P alias.""
...
This reverts commit ddd480ac30
. Gave it
some more thought.
2016-04-18 14:20:49 +02:00
Vladimír Čunát
d1df28f8e5
Merge 'staging' into closure-size
...
This is mainly to get the update of bootstrap tools.
Otherwise there were mysterious segfaults:
https://github.com/NixOS/nixpkgs/pull/7701#issuecomment-203389817
2016-04-07 14:40:51 +02:00
Vladimír Čunát
ab15a62c68
Merge branch 'master' into closure-size
...
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Eelco Dolstra
1783e33b06
Fix the boot-ec2-config test
2016-03-30 22:22:40 +02:00
Eelco Dolstra
ddd480ac30
Revert "Remove which -> type -P alias."
...
This reverts commit e8e8164f34
. I
misread the original commit as adding the "which" package, but it only
adds it to base.nix. So then the original motivation (making it work
in subshells) doesn't hold. Note that we already have some convenience
aliases that don't work in subshells either (such as "ll").
2016-03-25 17:17:07 +01:00
Vladimír Čunát
09af15654f
Merge master into closure-size
...
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00
Domen Kožar
73ba0ae2de
Remove which -> type -P alias.
...
Aliases are not the same as programs. They won't work in subshells.
It's better to just use which as it's only 88K.
2016-03-03 16:15:25 +00:00
Eelco Dolstra
806b27a297
qemu-guest.nix: Disable rngd
...
This gets rid of a zillion "rngd[N]: read error" messages during boot.
2016-02-23 11:56:09 +01:00
Vladimír Čunát
716aac2519
Merge branch 'staging' into closure-size
2016-01-19 09:55:31 +01:00
Robin Gloster
391c330042
wpa_supplicant service: jobs -> systemd.services
...
Fixes an occurence of `jobs` usage causing tests to fail to evaluate.
thanks @domenkozar
2016-01-06 03:58:39 +00:00
Tuomas Tynkkynen
9ac80c1f15
installation-cd-graphical: Enable the 'synaptics' touchpad driver
...
This is needed to get touchpad working in the installer on several
laptops. Tested on a Thinkpad X250.
2015-12-24 17:45:51 +02:00
Luca Bruno
a412927924
Merge remote-tracking branch 'origin/master' into closure-size
2015-11-25 21:37:30 +01:00
Roger Qiu
1ddbc20dac
Change the preset networking.hostId to use mkDefault
so it can be easily changed by the user later
2015-11-22 01:03:16 +11:00
Vladimír Čunát
5227fb1dd5
Merge commit staging+systemd into closure-size
...
Many non-conflict problems weren't (fully) resolved in this commit yet.
2015-10-03 13:33:37 +02:00
Jan Malakhovski
dddcec21fe
nixos: add xfs support to profiles/minimal
2015-09-18 18:58:18 +00:00
Vladimír Čunát
7dc9450ed2
nixos/ISO profile: fix defaultLocales :-)
...
https://github.com/NixOS/nixpkgs/commit/eb4a88d8fd2#commitcomment-12527102
2015-08-06 12:30:38 +02:00
Eelco Dolstra
91e71725d4
Remove some obsolete references to <nixos>
2015-08-05 17:37:08 +02:00