Commit graph

207 commits

Author SHA1 Message Date
Your Name
1b79176310 NixOS AWS AMI: enable the serial console on ttyS0 2021-08-20 12:42:02 -04:00
rnhmjoj
d857340c8e
nixos/installer: simplify and document wifi setup
The wpa_supplicant service in the NixOS installer is unusable because
the control socket is disabled and /etc/wpa_supplicant.conf ignored.

The manual currently recommends manually starting the daemon and using
wpa_passphrase, but this requires figuring out the interface name,
driver and only works for WPA2 personal networks.

By enabling the control socket, instead, a user can configure the
network via wpa_cli (or wpa_gui in the graphical installer), which
support more advanced network configurations.
2021-08-15 12:08:32 +02:00
Florian Klink
6c0058f47f
Merge pull request #85073 from hyperfekt/systemd-pstore
nixos/systemd|filesystems: mount and evacuate /sys/fs/pstore using systemd-pstore
2021-05-17 00:00:52 +02:00
github-actions[bot]
bf5d8bb531
Merge master into staging-next 2021-05-14 00:58:11 +00:00
Samuel Dionne-Riel
12ede41735
Merge pull request #110435 from superloach/patch-2
nixos/modules: add "sdhci_pci" to availableKernelModules
2021-05-13 17:45:22 -04:00
hyperfekt
3e3e763a07 nixos/systemd: enable systemd-pstore.service
As described in issue #81138, the Install section of upstream units is
currently ignored, so we make it part of the sysinit.target manually.
2021-05-09 23:21:51 +02:00
github-actions[bot]
b4416b52c5
Merge master into staging-next 2021-05-08 00:46:50 +00:00
Samuel Dionne-Riel
cb9b46a3cd profiles/all-hardware.nix: Add vc4 for broadcom hardware
Namely, early KMS on raspberry pi
2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
f5b7687d26 profiles/all-hardware.nix: Share some config for all ARM 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
14ac6de024 profiles/all-hardware.nix: Fix for arvmv7l-linux 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
82625705c6 profiles/all-hardware.nix: Add analogix-dp
While it's being brought in implicitly by the other analogix driver,
let's be explicit, in case things change.
2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
9fa3e2c2a3 profiles/all-hardware.nix: Add regulator needed for rockchip
But not exclusive to rockchip
2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
535d463cf9 profiles/all-hardware.nix: Add rockchip modules 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
70205bd13c profiles/all-hardware.nix: Add support for Raspberry Pi 4 USB 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
a846d19831 profiles/all-hardware.nix: Add power regulator modules
This is used on some allwinner platforms, and is a weak dependency for
USB to work.
2021-05-04 19:42:12 -04:00
Samuel Dionne-Riel
a8af02fe6d profiles/all-hardware.nix: Add modules for integrated displays
Namely, this is used by the pinebook's display
2021-05-04 19:42:12 -04:00
Samuel Dionne-Riel
5bc36c1b30 profiles/all-hardware.nix: Add support for Allwinner hardware 2021-05-04 19:42:12 -04:00
Samuel Dionne-Riel
c60de92917 profiles/all-hardware.nix: Add simplefb for AArch64 2021-05-04 19:42:12 -04:00
Julien Moutinho
b42a0e205d nixos/apparmor: disable killUnconfinedConfinables by default 2021-04-23 07:20:20 +02:00
Dominik Xaver Hörl
893d911b55 nixos/hidepid: drop the module as the hidepid mount option is broken
This has been in an unusable state since the switch to cgroups-v2.
See https://github.com/NixOS/nixpkgs/issues/73800 for details.
2021-02-21 13:51:37 +01:00
Erik Arvstedt
0b5fd3b784 qemu-guest: remove security.rngd setting
Since release 20.09 `rngd.enable` defaults to false, so this setting is redundant.

Also fix the `qemu-quest` section of the manual that incorrectly claimed
that `rngd` was enabled.
2021-01-27 18:27:34 +01:00
Terra Brown
c2a901798e
nixos/modules: add "sdhci_pci" to availableKernelModules
Encountered issues booting the live image on an Acer R11 Chromebook (CYAN). Got help from @samueldr on Freenode, and adding this module fixed it. Likely useful for other platforms/situations where booting from SD is necessary.
2021-01-21 23:08:54 -05:00
Vladimír Čunát
9e2880e5fa
nixos ISO image: revert another part of 8ca33835ba 2021-01-13 15:25:19 +01:00
Vladimír Čunát
8ca33835ba
nixos: fixup build of aarch64 minimal ISO (fixes #109252)
Perhaps it's not pretty nor precise; feel free to improve.
2021-01-13 14:05:45 +01:00
Alyssa Ross
6c3d21aff9
nixos/getty: rename from services.mingetty
It's been 8.5 years since NixOS used mingetty, but the option was
never renamed (despite the file definining the module being renamed in
9f5051b76c ("Rename mingetty module to agetty")).

I've chosen to rename it to services.getty here, rather than
services.agetty, because getty is implemantation-neutral and also the
name of the unit that is generated.
2021-01-05 09:09:42 +00:00
talyz
0f0d5c0c49
profiles/hardened: Add note about potential instability
Enabling the profile can lead to hard-to-debug issues, which should be
warned about in addition to the cost in features and performance.

See https://github.com/NixOS/nixpkgs/issues/108262 for an example.
2021-01-04 16:03:29 +01:00
TredwellGit
b6e21a7609 nixos/hardened: update blacklisted filesystems
241a158269/suse-module-tools.spec (L24)
2020-09-27 06:16:58 +00:00
Jörg Thalheim
a5872edf2f
nixos/installer: enable sshd by default
Right now the UX for installing NixOS on a headless system is very bad.
To enable sshd without physical steps users have to have either physical
access or need to be very knowledge-able to figure out how to modify the
installation image by hand to put an `sshd.service` symlink in the
right directory in /nix/store. This is in particular a problem on ARM
SBCs (single board computer) but also other hardware where network is
the only meaningful way to access the hardware.

This commit enables sshd by default. This does not give anyone access to
the NixOS installer since by default. There is no user with a non-empty
password or key. It makes it easy however to add ssh keys to the
installation image (usb stick, sd-card on arm boards) by simply mounting
it and adding a keys to `/root/.ssh/authorized_keys`.
Importantly this should not require nix/nixos on the machine that
prepare the installation device and even feasiable on non-linux systems
by using ext4 third party drivers.

Potential new threats: Since this enables sshd by default a
potential bug in openssh could lead to remote code execution. Openssh
has a very good track-record over the last 20 years, which makes it
far more likely that Linux itself would have a remote code execution
vulnerability. It is trusted by millions of servers on many operating
systems to be exposed to the internet by default.

Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
2020-09-06 20:26:08 +02:00
Izorkin
e21e5a9483 nixos/security/misc: add option unprivilegedUsernsClone 2020-08-25 14:18:24 +03:00
davidak
5a3738d22b
nixos/systemPackages: clean up (#91213)
* nixos/systemPackages: clean up

* Update nixos/doc/manual/release-notes/rl-2009.xml

Co-authored-by: Jan Tojnar <jtojnar@gmail.com>

* Update nixos/doc/manual/release-notes/rl-2009.xml

Co-authored-by: 8573 <8573@users.noreply.github.com>

Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
Co-authored-by: 8573 <8573@users.noreply.github.com>
2020-08-20 13:45:54 +00:00
worldofpeace
490cd7889e nixos/displayManager: make autoLogin options independent of DM type
Co-authored-by: volth <volth@volth.com>
2020-07-09 21:15:35 -04:00
adisbladis
1ca6909514
Merge pull request #74378 from ttuegel/lxc-container
docker-container: Remove /etc symlink
2020-04-25 16:25:15 +02:00
Emily
b0d5032ee4 nixos/hardened: add emily to maintainers 2020-04-17 16:13:39 +01:00
Emily
ad9bfe2254 nixos/hardened: enable user namespaces for root
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f.

This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.

We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.

Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:

    boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
2020-04-17 16:13:39 +01:00
Emily
84f258bf09 nixos/hardened: don't set vm.unprivileged_userfaultfd
Upstreamed in anthraxx/linux-hardened@a712392b88.
2020-04-17 16:13:39 +01:00
Emily
cc28d51237 nixos/hardened: don't set vm.mmap_min_addr
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd.
2020-04-17 16:13:39 +01:00
Emily
46d12cca56 nixos/hardened: don't set vm.mmap_rnd{,_compat}_bits
Upstreamed in anthraxx/linux-hardened@ae6d85f437.
2020-04-17 16:13:39 +01:00
Emily
af4f57b2c4 nixos/hardened: don't set net.core.bpf_jit_harden
Upstreamed in anthraxx/linux-hardened@82e384401d.
2020-04-17 16:13:39 +01:00
Emily
71bbd876b7 nixos/hardened: don't set kernel.unprivileged_bpf_disabled
Upstreamed in anthraxx/linux-hardened@1a3e0c2830.
2020-04-17 16:13:39 +01:00
Emily
9da578a78f nixos/hardened: don't set kernel.dmesg_restrict
Upstreamed in anthraxx/linux-hardened@e3d3f13ffb.
2020-04-17 16:13:39 +01:00
Emily
cf1bce6a7a nixos/hardened: don't set vsyscall=none
Upstreamed in anthraxx/linux-hardened@d300b0fdad.
2020-04-17 16:13:39 +01:00
Emily
3b32cd2a5b nixos/hardened: don't set slab_nomerge
Upstreamed in anthraxx/linux-hardened@df29f9248c.
2020-04-17 16:13:39 +01:00
Florian Klink
a8989b353a Revert "nixos/hardened: build sandbox incompatible with namespaces"
As discussed in https://github.com/NixOS/nixpkgs/pull/73763, prevailing
consensus is to revert that commit. People use the hardened profile on
machines and run nix builds, and there's no good reason to use
unsandboxed builds at all unless you're in a platform that doesn't
support them.

This reverts commit 00ac71ab19.
2020-04-05 17:38:15 +02:00
Joachim F
18b89e7abd
Merge pull request #73763 from kmcopper/hardening-profile
Improvements to the NixOS Hardened Profile
2020-04-03 18:48:12 +00:00
Eelco Dolstra
bd379be538
Remove unused 'rogue' service 2020-03-24 15:25:20 +01:00
Eelco Dolstra
aebf9a4709
services/misc/nixos-manual.nix: Remove
Running the manual on a TTY is useless in the graphical ISOs and not
particularly useful in non-graphical ISOs (since you can also run
'nixos-help').

Fixes #83157.
2020-03-24 15:25:20 +01:00
Thomas Tuegel
757c7f3773
docker-container: Remove /etc symlink
The system output usually contains a symlink from /etc to the static
configuration for the benefit of the stage-1 script in the initrd. The stage-2
script is usually started in the real root without such a symlink. In a
container, there is no stage-1 and the system output is used directly as a real
root. If the symlink is present, setup-etc.pl will create a symlink cycle and
the system cannot boot. There is no reason for the /etc link to exist in a
container because setup-etc.pl will create the necessary files. The container
module will now remove the /etc symlink and create an empty directory. The empty
/etc is for container managers to populate it with site-specific settings; for
example, to set the hostname. This is required to boot NixOS in an LXC container
on another host.

See also: #9735
2019-11-27 15:51:19 -06:00
Kyle Copperfield
759968a612 nixos/hardened: scudo default allocator. zero by default allow override. 2019-11-26 08:50:35 +00:00
Jan Tojnar
77661f8cfd
nixos/plasma5: drop enableQt4Support option
Phonon no longer supports Qt4 so this is useless.
2019-11-22 09:01:05 +01:00
Kyle Copperfield
00ac71ab19 nixos/hardened: build sandbox incompatible with namespaces
Disables the build sandbox by default to avoid incompatibility with
defaulting user namespaces to false. Ideally there would be some kind of
linux kernel feature that allows us to trust nix-daemon builders to
allow both nix sandbox builds and disabling untrusted naemspaces at the
same time.
2019-11-19 14:56:09 +00:00