1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-28 08:31:59 +00:00
Commit graph

135 commits

Author SHA1 Message Date
Joachim Fasting ea4f371627
nixos/security/misc: expose SMT control option
For the hardened profile disable symmetric multi threading.  There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however.  This is in keeping with OpenBSD
defaults.

TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation.  Write to
/sys/devices/system/cpu/smt/control
2018-12-27 15:00:49 +01:00
Joachim Fasting e9761fa327
nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
2018-12-27 15:00:48 +01:00
Joachim Fasting 84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Graham Christensen 6db866cbd2
Revert "zfs cannot be distributed. Disabling it in the isos."
ZFS's popularity is growing, and not including it by default is a
bit frustrating. On top of that, the base iso includes ZFS
_anyway_ due to other packages depending upon it.

I think we're in the clear to do this on the basis that Oracle
probably doesn't care, it is probably fine (the SFLC agrees) and
we're a small fish. If a copyright holder asks us to, we can
definitely revert it again.

This reverts commit 33d07c7ea9.
2018-11-26 17:51:18 -05:00
Ding Xiang Fei b011049cf6 Merge branch 'master' of https://github.com/nixos/nixpkgs into tarball-closureinfo 2018-11-26 12:04:07 +08:00
Joachim Fasting 6a7f02d89d
nixos/hardened: restrict access to nix daemon 2018-11-24 16:06:21 +01:00
Ding Xiang Fei ceececbd04 Merge branch 'master' of https://github.com/nixos/nixpkgs into tarball-closureinfo 2018-11-14 12:32:28 +08:00
Ding Xiang Fei 4259f7575e use closure-info for building system tarball 2018-11-07 12:52:53 +08:00
Eelco Dolstra be6e4b8af8
Merge pull request #49326 from c0bw3b/nixos/installation-device
nixos/installation-device: set GC initial heap size to 1MB
2018-10-30 14:13:59 +01:00
Matthew Bauer a943bc9e04
Merge pull request #48801 from matthewbauer/cloneConfigExtra
ova: add cloneConfigExtra option
2018-10-28 19:05:16 -05:00
Renaud fc476599ad
installation-device: set GC initial heap size to 1MB
100000 (100kB) is too aggressive (too low) and gets ignored by the GC
See issue #43339
2018-10-28 10:48:00 +01:00
Tuomas Tynkkynen cc92fc0a83 nixos/installation-device: Move systemPackages additions to profiles/base
Other package additions are there as well.
2018-10-27 15:17:13 +03:00
Tuomas Tynkkynen 717206010f nixos/installer: Drop extra copy of w3m
The nixos-manual service already uses w3m-nographics for a variant that
drops unnecessary junk like various image libraries.

iso_minimal closure (i.e. uncompressed) goes from 1884M -> 1837M.
2018-10-27 13:16:30 +03:00
Matthew Bauer 1902adb437 ova: add cloneConfigExtra option
Customize virtualbox ovas to contain a clone config option giving some
useful hints.

Fixes #38429
2018-10-21 14:52:49 -05:00
Joachim F 205aff5a65
Merge pull request #48439 from joachifm/hardened-misc
nixos/security/misc: init
2018-10-15 21:25:42 +00:00
Joachim Fasting f4ea22e5de
nixos/security/misc: init
A module for security options that are too small to warrant their own module.

The impetus for adding this module is to make it more convenient to override
the behavior of the hardened profile wrt user namespaces.
Without a dedicated option for user namespaces, the user needs to
1) know which sysctl knob controls userns
2) know how large a value the sysctl knob needs to allow e.g.,
   Nix sandbox builds to work

In the future, other mitigations currently enabled by the hardened profile may
be promoted to options in this module.
2018-10-15 23:11:37 +02:00
Joachim Fasting cb845123d4
nixos/hardened: add myself to maintainers 2018-10-15 01:33:33 +02:00
aszlig c5bb43188d
nixos: Fix eval error for documentation.nixos
Introduced by 0f3b89bbed.

If services.nixosManual.showManual is enabled and
documentation.nixos.enable is not, there is no
config.system.build.manual available, so evaluation fails. For example
this is the case for the installer tests.

There is however an assertion which should catch exactly this, but it
isn't thrown because the usage of config.system.build.manual is
evaluated earlier than the assertions.

So I split the assertion off into a separate mkIf to make sure it is
shown appropriately and also fixed the installation-device profile to
enable documentation.nixos.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @oxij
2018-09-25 23:39:44 +02:00
Michael Raskin 61abf3bbd9
Merge pull request #47298 from oxij/nixos/doc-in-installer
nixos: fix fallout from #46193
2018-09-25 09:00:43 +00:00
xeji bc22265e65
Merge pull request #47296 from matthewbauer/closure-size-reductions
ISO/OVA closure size reductions
2018-09-24 23:21:02 +02:00
Jan Malakhovski 1a6ce11518 nixos: doc: fix minimal profile and installer configs 2018-09-24 21:07:59 +00:00
Matthew Bauer 2b7d6e463e nixos: don’t enableQt4Support for installer profile
This is already done in
installer/cd-dvd/installation-cd-graphical-kde.nix but not in
profiles/graphical.nix. Related to #47256.
2018-09-24 15:07:25 -05:00
Samuel Dionne-Riel ebf041d4bd
Merge pull request #46193 from oxij/nixos/manual-to-doc
nixos: doc: implement #12542
2018-09-24 00:09:23 -04:00
Jan Malakhovski 0f3b89bbed nixos: doc: move non-service parts of service.nixosManual to documentation.nixos 2018-09-23 20:50:47 +00:00
Matthew Bauer 94bec239d5 nixos: make firefox default browser
Without this the graphical installer has no way to open the manual.
You can fix it yourself by installing any HTML browser but this might
be unfamiliar to users new to NixOS and without any other way to open
the manual. The downside is it will also increase download sizes.

Fixes #46537
2018-09-22 23:33:16 -05:00
volth d4ef7c6772 usb-storage -> uas
Following up https://github.com/NixOS/nixpkgs/pull/23665

Bootable USB-drives are not limited to ISO-images, there can be "normal" MBR/GPT-partitioned disk connected via USB-rack.
Also, "uas" implies "usb-storage", so there is no need to mention both.
2018-08-23 01:42:34 +00:00
Tuomas Tynkkynen 58dc26180f nixos: Fix iso_graphical evaluation
I broke it:
in job ‘nixos.iso_graphical.x86_64-linux’:
The option `services.udisks2.enable' has conflicting definitions, in `/nix/store/bwcjw1ddj94q83vbbnq1nnrs5aisaw59-source/nixos/modules/profiles/installation-device.nix' and `/nix/store/bwcjw1ddj94q83vbbnq1nnrs5aisaw59-source/nixos/modules/services/x11/desktop-managers/plasma5.nix'.
2018-08-17 07:43:58 +03:00
Tuomas Tynkkynen 571fb74f44 installer: Disable udisks
Due to whoever-knows-what, udisks nowadays pulls in GTK+ et al. But it
shouldn't be needed anyway in the installer, so disable it.
2018-08-17 06:56:51 +03:00
Bob van der Linden e1da32d887 set initialHashedPassword in installation-device.nix 2018-08-07 14:45:50 +02:00
volth 2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
volth 87f5930c3f [bot]: remove unreferenced code 2018-07-20 18:48:37 +00:00
Florian Klink fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Tuomas Tynkkynen 91117f0d1d nixos/installer: Drop dmraid
This seems some obsolete software RAID configuration program that hasn't
been updated since 2010.
2018-05-25 01:55:51 +03:00
Nikolay Amiantov e711da345c base profile: add mkpasswd to system packages
Allows the user to generate password hashes for the installed system easier.
2018-05-09 00:20:02 +03:00
Michael Raskin b07ce1fb74
Merge pull request #38114 from oxij/nixos/doc-module
nixos: doc module
2018-04-05 07:09:32 +00:00
Graham Christensen 9b30d48b2b
Merge pull request #37288 from cleverca22/improve-make-tarball
make-system-tarball: allow alternate compression methods
2018-04-04 10:11:25 -04:00
Michael Bishop 3c9e579d1e
make-system-tarball: allow alternate compression methods 2018-04-03 11:30:43 -03:00
Jan Malakhovski 98fd9b7f86 nixos: doc: introduce documentation config subtree 2018-03-30 06:52:26 +00:00
volth f68871764d treewide: replace depecated alias s/mssys/ms-sys/g 2018-03-22 10:13:21 +00:00
Matthew Bauer 1e621ff423 demo: autologin through xserver
also disable upower on virtualbox
Fixes #36348
2018-03-05 14:48:01 -06:00
Eelco Dolstra b14d9e1568
Add jq to the installation media
This is required by closureInfo.
2018-02-27 20:20:37 +01:00
Shea Levy 943592f698
Add setFunctionArgs lib function.
Among other things, this will allow *2nix tools to output plain data
while still being composable with the traditional
callPackage/.override interfaces.
2018-01-31 14:02:19 -05:00
Franz Pletz e2fe111d46
nixos/profiles/all-hardware: remove unavailable modules 2017-12-29 11:37:21 +01:00
Tuomas Tynkkynen f3794bb8cb nixos/qemu-guest: Ensure virtio_mmio is available in initrd
ARM and AArch64 might use virtio_mmio in some cases.
2017-11-26 11:22:39 +02:00
Franz Pletz 3855b7977c
nixos: clean up kernel modules
* the keyboard modules in all-hardware.nix are already defaults of
   boot.initrd.availableKernelModules
 * ide modules, hid_lenovo_tpkbd and scsi_wait_scan have been removed
   because they're not available anymore
 * i8042 was a duplicate (see few lines abowe)
2017-10-07 01:48:03 +02:00
Franz Pletz 3d040f9305
nixos/install: disable kernel debug console logging
Add another option for debugging instead. Lots of users have been
complaining about this default behaviour.

This patch also cleans up the EFI bootloader entries in the ISO.
2017-09-23 20:03:19 +02:00
Michael Weiss 351f5fc585 fuse3: init at 3.1.1
This includes fuse-common (fusePackages.fuse_3.common) as recommended by
upstream. But while fuse(2) and fuse3 would normally depend on
fuse-common we can't do that in nixpkgs while fuse-common is just
another output from the fuse3 multiple-output derivation (i.e. this
would result in a circular dependency). To avoid building fuse3 twice I
decided it would be best to copy the shared files (i.e. the ones
provided by fuse(2) and fuse3) from fuse-common to fuse (version 2) and
avoid collision warnings by defining priorities. Now it should be
possible to install an arbitrary combination of "fuse", "fuse3", and
"fuse-common" without getting any collision warnings. The end result
should be the same and all changes should be backwards compatible
(assuming that mount.fuse from fuse3 is backwards compatible as stated
by upstream [0] - if not this might break some /etc/fstab definitions
but that should be very unlikely).

My tests with sshfs (version 2 and 3) didn't show any problems.

See #28409 for some additional information.

[0]: https://github.com/libfuse/libfuse/releases/tag/fuse-3.0.0
2017-09-21 23:59:46 +02:00
Joachim Fasting 8aa0618cf0
nixos/hardened: blacklist a few obscure net protocols 2017-09-09 17:37:17 +02:00
Joachim Fasting 2bce0b13e7
nixos/hardened: set mmap_min_addr
This is set in the hardened linux config as well but sysctl is more
flexible & works with any boot.kernelPackages
2017-09-09 17:37:15 +02:00
Graham Christensen 1b68193167
profiles/graphical.nix: enable libinput over synaptics 2017-08-30 20:25:11 -04:00