aboutsummaryrefslogtreecommitdiff
path: root/nixos/modules/profiles (follow)
Commit message (Collapse)AuthorAgeFilesLines
* qemu-guest: allow to override security.rngdMatthieu Coudron2019-09-181-2/+2
| | | | | | | | ... otherwise enabling it causes a merge conflict. Enabling it was necessary to give enough entropy for the sshd daemon in my libvirt/nixops VM to generate keys see https://github.com/NixOS/nixops/issues/1199.
* Merge pull request #63773 from flokli/installation-device-fixesFlorian Klink2019-08-311-7/+10
|\ | | | | installation-device.nix: explain sshd usage, don't include clone-config
| * nixos/installation-device.nix: explain sshd usageFlorian Klink2019-08-191-7/+10
| |
* | Merge pull request #66687 from ↵Marek Mahut2019-08-191-2/+0
|\ \ | |/ |/| | | | | joachifm/feat/hardened-nixos-revert-graphene-malloc Revert "nixos/hardened: use graphene-hardened malloc by default"
| * Revert "nixos/hardened: use graphene-hardened malloc by default"Joachim Fasting2019-08-151-2/+0
| | | | | | | | | | | | | | | | | | This reverts commit 48ff4f119735dc60c3e2794a71b00757b838d877. Causes too much breakage to be enabled by default [1][2]. [1]: https://github.com/NixOS/nixpkgs/issues/61489 [2]: https://github.com/NixOS/nixpkgs/issues/65000
* | nixos/systemd: install sysctl snippetsFlorian Klink2019-08-181-11/+5
|/ | | | | | | | | | | | | | | | | | | | | | systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit.
* nixos-hardened: disable unprivileged userfaultfd syscallsJoachim Fasting2019-08-151-0/+3
| | | | | | New in 5.2 [1] [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
* nixos-hardened: enable page alloc randomizationJoachim Fasting2019-08-151-0/+3
|
* installer: Don't run as rootworldofpeace2019-08-121-7/+20
| | | | | | | | | | | | | | | | | | | There's many reason why it is and is going to continue to be difficult to do this: 1. All display-managers (excluding slim) default PAM rules disallow root auto login. 2. We can't use wayland 3. We have to use system-wide pulseaudio 4. It could break applications in the session. This happened to dolphin in plasma5 in the past. This is a growing technical debt, let's just use passwordless sudo.
* nixos/hardened: make pti=on overridablePierre Bourdon2019-07-301-3/+2
| | | | | Introduces a new security.forcePageTableIsolation option (default false on !hardened, true on hardened) that forces pti=on.
* Renaming security.virtualization.flushL1DataCache to virtualisationMarek Mahut2019-07-191-1/+1
| | | | Fixes #65044
* nixos/hardened: harder inet defaultsJoachim Fasting2019-07-041-0/+30
| | | | | | | See e.g., https://github.com/NixOS/nixpkgs/issues/63768 Forwarding remains enabled for now, need to determine its effects on virtualization, if any.
* nixos/hardened: disable ftrace by defaultJoachim Fasting2019-07-041-0/+3
|
* nixos/hardened: use graphene-hardened malloc by defaultJoachim Fasting2019-05-071-0/+2
|
* profiles/graphical.nix: Enable pulseaudio for virtualbox appliancesElis Hirwing2019-02-221-0/+4
|
* types.optionSet: deprecate and remove last usagesdanbst2019-01-311-1/+1
|
* modules/profiles/minimal: sound is disabled by defaultProfpatsch2019-01-132-2/+1
| | | | | | The option is `false` by default since e349ccc77febd45abbd14be14f7de123ec4a4da2, so we don’t need to mention it explicitely in these minimal configs.
* nixos/hardened profile: always enable ptiJoachim Fasting2019-01-051-0/+3
|
* nixos/hardened profile: slab/slub hardeningJoachim Fasting2019-01-051-0/+6
| | | | | | | | | | slab_nomerge may reduce surface somewhat slub_debug is used to enable additional sanity checks and "red zones" around allocations to detect read/writes beyond the allocated area, as well as poisoning to overwrite free'd data. The cost is yet more memory fragmentation ...
* nixos/security/misc: expose SMT control optionJoachim Fasting2018-12-271-0/+2
| | | | | | | | | | | | For the hardened profile disable symmetric multi threading. There seems to be no *proven* method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control
* nixos/security/misc: expose l1tf mitigation optionJoachim Fasting2018-12-271-0/+2
| | | | | | For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing).
* nixos/security/misc: factor out protectKernelImageJoachim Fasting2018-12-271-6/+2
| | | | | | | | | Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work.
* Revert "zfs cannot be distributed. Disabling it in the isos."Graham Christensen2018-11-261-1/+1
| | | | | | | | | | | | | ZFS's popularity is growing, and not including it by default is a bit frustrating. On top of that, the base iso includes ZFS _anyway_ due to other packages depending upon it. I think we're in the clear to do this on the basis that Oracle probably doesn't care, it is probably fine (the SFLC agrees) and we're a small fish. If a copyright holder asks us to, we can definitely revert it again. This reverts commit 33d07c7ea9f0d05d47dd4b41ded3b261380acfac.
* Merge branch 'master' of https://github.com/nixos/nixpkgs into ↵Ding Xiang Fei2018-11-261-0/+2
|\ | | | | | | tarball-closureinfo
| * nixos/hardened: restrict access to nix daemonJoachim Fasting2018-11-241-0/+2
| |
* | Merge branch 'master' of https://github.com/nixos/nixpkgs into ↵Ding Xiang Fei2018-11-141-1/+1
|\| | | | | | | tarball-closureinfo
| * Merge pull request #49326 from c0bw3b/nixos/installation-deviceEelco Dolstra2018-10-301-1/+1
| |\ | | | | | | nixos/installation-device: set GC initial heap size to 1MB
| | * installation-device: set GC initial heap size to 1MBRenaud2018-10-281-1/+1
| | | | | | | | | | | | 100000 (100kB) is too aggressive (too low) and gets ignored by the GC See issue #43339
* | | use closure-info for building system tarballDing Xiang Fei2018-11-071-6/+10
|/ /
* | Merge pull request #48801 from matthewbauer/cloneConfigExtraMatthew Bauer2018-10-281-0/+9
|\ \ | |/ |/| ova: add cloneConfigExtra option
| * ova: add cloneConfigExtra optionMatthew Bauer2018-10-211-0/+9
| | | | | | | | | | | | | | Customize virtualbox ovas to contain a clone config option giving some useful hints. Fixes #38429
* | nixos/installation-device: Move systemPackages additions to profiles/baseTuomas Tynkkynen2018-10-272-3/+3
| | | | | | | | Other package additions are there as well.
* | nixos/installer: Drop extra copy of w3mTuomas Tynkkynen2018-10-271-1/+1
|/ | | | | | | The nixos-manual service already uses w3m-nographics for a variant that drops unnecessary junk like various image libraries. iso_minimal closure (i.e. uncompressed) goes from 1884M -> 1837M.
* Merge pull request #48439 from joachifm/hardened-miscJoachim F2018-10-151-12/+2
|\ | | | | nixos/security/misc: init
| * nixos/security/misc: initJoachim Fasting2018-10-151-12/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module.
* | nixos/hardened: add myself to maintainersJoachim Fasting2018-10-151-0/+4
|/
* nixos: Fix eval error for documentation.nixosaszlig2018-09-251-0/+1
| | | | | | | | | | | | | | | | | | | | Introduced by 0f3b89bbedc1a33cc1fc3c142e235da2c64614c3. If services.nixosManual.showManual is enabled and documentation.nixos.enable is not, there is no config.system.build.manual available, so evaluation fails. For example this is the case for the installer tests. There is however an assertion which should catch exactly this, but it isn't thrown because the usage of config.system.build.manual is evaluated earlier than the assertions. So I split the assertion off into a separate mkIf to make sure it is shown appropriately and also fixed the installation-device profile to enable documentation.nixos. Signed-off-by: aszlig <aszlig@nix.build> Cc: @oxij
* Merge pull request #47298 from oxij/nixos/doc-in-installerMichael Raskin2018-09-252-2/+1
|\ | | | | nixos: fix fallout from #46193
| * nixos: doc: fix minimal profile and installer configsJan Malakhovski2018-09-242-2/+1
| |
* | Merge pull request #47296 from matthewbauer/closure-size-reductionsxeji2018-09-241-1/+4
|\ \ | | | | | | ISO/OVA closure size reductions
| * | nixos: don’t enableQt4Support for installer profileMatthew Bauer2018-09-241-1/+4
| | | | | | | | | | | | | | | | | | This is already done in installer/cd-dvd/installation-cd-graphical-kde.nix but not in profiles/graphical.nix. Related to #47256.
* | | Merge pull request #46193 from oxij/nixos/manual-to-docSamuel Dionne-Riel2018-09-242-2/+2
|\ \ \ | | |/ | |/| nixos: doc: implement #12542
| * | nixos: doc: move non-service parts of `service.nixosManual` to ↵Jan Malakhovski2018-09-232-2/+2
| |/ | | | | | | `documentation.nixos`
* / nixos: make firefox default browserMatthew Bauer2018-09-221-1/+1
|/ | | | | | | | | Without this the graphical installer has no way to open the manual. You can fix it yourself by installing any HTML browser but this might be unfamiliar to users new to NixOS and without any other way to open the manual. The downside is it will also increase download sizes. Fixes #46537
* usb-storage -> uasvolth2018-08-231-1/+1
| | | | | | | Following up https://github.com/NixOS/nixpkgs/pull/23665 Bootable USB-drives are not limited to ISO-images, there can be "normal" MBR/GPT-partitioned disk connected via USB-rack. Also, "uas" implies "usb-storage", so there is no need to mention both.
* nixos: Fix iso_graphical evaluationTuomas Tynkkynen2018-08-171-2/+2
| | | | | | I broke it: in job ‘nixos.iso_graphical.x86_64-linux’: The option `services.udisks2.enable' has conflicting definitions, in `/nix/store/bwcjw1ddj94q83vbbnq1nnrs5aisaw59-source/nixos/modules/profiles/installation-device.nix' and `/nix/store/bwcjw1ddj94q83vbbnq1nnrs5aisaw59-source/nixos/modules/services/x11/desktop-managers/plasma5.nix'.
* installer: Disable udisksTuomas Tynkkynen2018-08-171-0/+1
| | | | | Due to whoever-knows-what, udisks nowadays pulls in GTK+ et al. But it shouldn't be needed anyway in the installer, so disable it.
* set initialHashedPassword in installation-device.nixBob van der Linden2018-08-071-0/+4
|
* [bot] nixos/*: remove unused arguments in lambdasvolth2018-07-208-8/+8
|
* [bot]: remove unreferenced codevolth2018-07-201-1/+0
|
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 11:33:43 +0000