1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-25 03:17:13 +00:00
Commit graph

79 commits

Author SHA1 Message Date
Joachim Fasting a1678269f9
nixos/hardened profile: disable user namespaces at runtime 2017-04-30 15:17:27 +02:00
Joachim Fasting 1dd3ba924b
nixos/hardened profile: disable hibernation
Recommended by KSPP
2017-04-30 12:06:11 +02:00
Joachim Fasting 8c98e8ca2f
nixos/hardened profile: use the linux_hardened kernel 2017-04-30 12:05:40 +02:00
Joachim Fasting 6a5a5728ee
nixos/hardened profile: lock kernel modules 2017-04-30 12:05:38 +02:00
Joachim Fasting 63433537ce
nixos/hardened profile: disable legacy virtual syscalls
This eliminates a theoretical risk of ASLR bypass due to the fixed address
mapping used by the legacy vsyscall mechanism.  Modern glibc use vdso(7)
instead so there is no loss of functionality, but some programs may fail
to run in this configuration.  Programs that fail to run because vsyscall
has been disabled will be logged to dmesg.

For background on virtual syscalls see https://lwn.net/Articles/446528/

Closes https://github.com/NixOS/nixpkgs/pull/25289
2017-04-29 17:27:11 +02:00
Joachim Fasting 063ac40304
nixos: add a "hardened" profile
The idea is to provide a convenient way to enable most vanilla hardening
features in one go.  The hardened profile, then, will serve as a place for
features that enhance security but cannot be enabled for all deployments
because they interfere with legitimate use cases (e.g., using ptrace to
debug problems in an already running process).

Closes https://github.com/NixOS/nixpkgs/pull/24680
2017-04-23 11:00:52 +02:00
Thomas Tuegel 8e6bdcc731
nixos: fix renaming warning in graphical profile 2017-03-03 07:27:41 -06:00
Graham Christensen b12564cc1b
nixos: update default cases from KDM/KDE4 to SDDM/KDE5 2017-02-09 21:52:00 -05:00
taku0 8dfa60ce73 nixos-generate-config.pl, all-hardware.nix: Add support for Hyper-V 2017-02-05 18:22:26 +09:00
Pascal Bach 01fd86723c install-device: correct command to start sshd 2017-01-25 21:09:31 +01:00
Pascal Bach 03ef04f0a4 install-device: permit root login with password
Allow password login to the installation this allows doing remote installation
via SSH. All that need to be done on the local machine is:
1. Boot from the installation media
2. Set a password with passwd
3. Enable SSH with systemctl start sshd

It is safe as root doesn't have a password by default
and SSH is disabled by default.

Fixes #20718
2017-01-25 21:09:31 +01:00
Tuomas Tynkkynen b63f97c6e6 installer: Include stdenvNoCC
And don't include ArchiveCpio as that one is no longer needed after
5a8147479 ("make-initrd: create reproducible initrds").
2017-01-23 23:49:18 +02:00
Robin Gloster f4f4200d9a
install-devices: add vim
This moves vim to the install-device profile to add vim to netboot, too.

Fixes #20013 (see discussion there for further information)
2017-01-18 17:57:31 +01:00
Franz Pletz 88908145ea
nixos installer: don't log refused packets to console
Fixes #19764.
2017-01-09 19:24:41 +01:00
Lluís Batlle i Rossell 33d07c7ea9 zfs cannot be distributed. Disabling it in the isos.
It seems that it is a GPL violation to distribute zfs in the
installation ISOs.

https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/

If anyone knows the issue better and has a reason to reenable it
legally, feel free to reenable it. I don't know much about it.
2016-12-28 14:57:06 +01:00
Franz Pletz da600849e3
nixos: disable sound for minimal ISO
Saves a few megabytes of ALSA stuff.
2016-11-23 02:24:13 +01:00
Franz Pletz f983743d75
w3m-nox: use imlib2 without X11 support
Also, the minimal live CD previously installed both the X11 and
non-X11 versions (through services.nixosManual) of w3m.
2016-11-23 02:24:12 +01:00
Franz Pletz ffac67fcf3
nixos/base: don't include dar & cabextract in ISO
Should free up lots of space due to dependency on gnupg, which dpeends on
openldap which pull in gcc.
2016-11-23 02:24:11 +01:00
Bjørn Forsman 32efdb7128 treewide: sshfsFuse -> sshfs-fuse 2016-09-18 17:44:30 +02:00
Eelco Dolstra ab49ebe6fa Make it possible to disable "info" 2016-09-05 14:53:27 +02:00
Eelco Dolstra 5e5df88457 modules/profiles/minimal.nix: Disable "man" 2016-09-05 14:53:27 +02:00
Eric Sagnes 9236eedbc3 documentation: fix start display-manager command
[Bjørn: The 'start' alias was removed in commit 1d9651e723
("Remove systemd shell aliases").]
2016-07-04 10:25:31 +02:00
Tuomas Tynkkynen 60f5659dad treewide: Use correct output in ${config.nix.package}/bin 2016-04-25 16:44:37 +02:00
Eelco Dolstra 0729f60697 Remove "which" from base.nix 2016-04-18 14:20:49 +02:00
Eelco Dolstra cd396076ec Revert "Revert "Remove which -> type -P alias.""
This reverts commit ddd480ac30. Gave it
some more thought.
2016-04-18 14:20:49 +02:00
Vladimír Čunát d1df28f8e5 Merge 'staging' into closure-size
This is mainly to get the update of bootstrap tools.
Otherwise there were mysterious segfaults:
https://github.com/NixOS/nixpkgs/pull/7701#issuecomment-203389817
2016-04-07 14:40:51 +02:00
Vladimír Čunát ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Eelco Dolstra 1783e33b06 Fix the boot-ec2-config test 2016-03-30 22:22:40 +02:00
Eelco Dolstra ddd480ac30 Revert "Remove which -> type -P alias."
This reverts commit e8e8164f34. I
misread the original commit as adding the "which" package, but it only
adds it to base.nix. So then the original motivation (making it work
in subshells) doesn't hold. Note that we already have some convenience
aliases that don't work in subshells either (such as "ll").
2016-03-25 17:17:07 +01:00
Vladimír Čunát 09af15654f Merge master into closure-size
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00
Domen Kožar 73ba0ae2de Remove which -> type -P alias.
Aliases are not the same as programs. They won't work in subshells.
It's better to just use which as it's only 88K.
2016-03-03 16:15:25 +00:00
Eelco Dolstra 806b27a297 qemu-guest.nix: Disable rngd
This gets rid of a zillion "rngd[N]: read error" messages during boot.
2016-02-23 11:56:09 +01:00
Vladimír Čunát 716aac2519 Merge branch 'staging' into closure-size 2016-01-19 09:55:31 +01:00
Robin Gloster 391c330042 wpa_supplicant service: jobs -> systemd.services
Fixes an occurence of `jobs` usage causing tests to fail to evaluate.

thanks @domenkozar
2016-01-06 03:58:39 +00:00
Tuomas Tynkkynen 9ac80c1f15 installation-cd-graphical: Enable the 'synaptics' touchpad driver
This is needed to get touchpad working in the installer on several
laptops. Tested on a Thinkpad X250.
2015-12-24 17:45:51 +02:00
Luca Bruno a412927924 Merge remote-tracking branch 'origin/master' into closure-size 2015-11-25 21:37:30 +01:00
Roger Qiu 1ddbc20dac Change the preset networking.hostId to use mkDefault so it can be easily changed by the user later 2015-11-22 01:03:16 +11:00
Vladimír Čunát 5227fb1dd5 Merge commit staging+systemd into closure-size
Many non-conflict problems weren't (fully) resolved in this commit yet.
2015-10-03 13:33:37 +02:00
Jan Malakhovski dddcec21fe nixos: add xfs support to profiles/minimal 2015-09-18 18:58:18 +00:00
Vladimír Čunát 7dc9450ed2 nixos/ISO profile: fix defaultLocales :-)
https://github.com/NixOS/nixpkgs/commit/eb4a88d8fd2#commitcomment-12527102
2015-08-06 12:30:38 +02:00
Eelco Dolstra 91e71725d4 Remove some obsolete references to <nixos> 2015-08-05 17:37:08 +02:00
rushmorem d9c56c696f Replaces https://github.com/NixOS/nixpkgs/pull/8368 2015-06-17 19:26:17 +02:00
Rushmore Mushambi 8170e74d9f Revert "Make it possible to boot NixOS from a SCSI Disk on KVM" 2015-06-17 19:13:08 +02:00
rushmorem ee3768b9ba Make it possible to boot NixOS from a SCSI Disk on KVM
Currently NixOS can't boot from a SCSI disk as a KVM Guest.
I found this out while installing it on the new [Linode KVM
platform](https://www.linode.com/docs/platform/kvm#custom-kernel-configuration).
2015-06-17 17:28:07 +02:00
Eelco Dolstra e5db79a859 Move stuff to modules/profiles/installation-device.nix 2015-06-10 15:28:55 +02:00
Eelco Dolstra 6bf1853387 Don't include 4 editors in the minimal installation CD
Emphasis on "minimal".
2015-06-04 11:06:44 +02:00
Eelco Dolstra 2a1c342887 Disable the manual in the minimal profile 2015-05-26 20:20:53 +02:00
Vladimír Čunát 375bc8def7 Merge staging into closure-size 2015-05-05 11:49:03 +02:00
Ricardo M. Correia f5e7190572 nixos.system_tarball_pc: Fix evaluation
It was broken due to 57b05765c9.

ZFS requires `networking.hostId` to be set.
2015-04-28 17:15:02 +02:00
Eelco Dolstra 19366a10fc Remove redundant i18n.supportedLocales setting
This is already set in profiles/minimal.nix.

Probably fixes #7589.
2015-04-27 19:21:28 +02:00