Commit Graph

281 Commits

Author SHA1 Message Date
Tamara Schmitz
b80c3284d5
nixos/hardened: update hardened profile to new recommendations
Borrowing from here to match hardened profile with more recent kernels:
* https://madaidans-insecurities.github.io/guides/linux-hardening.html?#boot-parameters
* https://github.com/a13xp0p0v/kernel-hardening-checker/

Removed "slub_debug" as that option disables kernel memory address
hashing. You also see a big warning about this in the dmesg:
"This system shows unhashed kernel memory addresses via the console, logs, and other interfaces."

"init_on_alloc=1" and "init_on_free=1" zeroes all SLAB and SLUB allocations. Introduced in 6471384af2a6530696fc0203bafe4de41a23c9ef. Also the default for the Android Google kernel btw. It is on by default through the KConfig.

"slab_nomerge" prevents the merging of slab/slub caches. These are
effectively slab/slub pools.

"LEGACY_VSYSCALL_NONE" disables the older vsyscall mechanic that relies on
static address. It got superseeded by vdsos a decade ago. Read some
LWN.net to learn more ;)

"debugfs=off" I'm sure there are some few userspace programs that rely on
debugfs, but they shouldn't.

Most other things mentioned on the blog where already the default on a
running machine or may not be applicable.

Most other Kconfigs changes come from the kernel hardening checker and
were added, when they were not applied to the kernel already.

Unsure about CONFIG_STATIC_USERMODEHELPER. Would need testing.
2024-01-27 20:43:58 +00:00
Ryan Lahfa
37832d237e
Merge pull request #283244 from bjornfor/nixos-add-polkit-to-installation-device
nixos/installation-device: enable polkit
2024-01-26 14:46:48 +01:00
Bjørn Forsman
dadc54aabe nixos/installation-device: enable polkit
Polkit enables running 'reboot' and 'poweroff' in the installer without
being root, and non-root is the default login for a few NixOS releases
now.

There's no size increase in the minimal ISO:

  $ git checkout nixpkgs-unstable
  $ nix-build -A config.system.build.isoImage -I nixos-config=nixos/modules/installer/cd-dvd/installation-cd-minimal.nix nixos/default.nix && du -sc ./result/iso/*.iso
  /nix/store/bfvbvrrqjmnqqhyqyxc0w32gagdz2rya-nixos-24.05.git.1149dab64e7-x86_64-linux.iso
  998404  ./result/iso/nixos-24.05.git.1149dab64e7-x86_64-linux.iso
  998404  total

  $ git checkout THIS_COMMIT
  $ nix-build -A config.system.build.isoImage -I nixos-config=nixos/modules/installer/cd-dvd/installation-cd-minimal.nix nixos/default.nix && du -sc ./result/iso/*.iso
  /nix/store/l9x9rwlvfddnri70h1ifx865q0cvka5l-nixos-24.05.git.1149dab64e7-x86_64-linux.iso
  998404  ./result/iso/nixos-24.05.git.1149dab64e7-x86_64-linux.iso
  998404  total
2024-01-23 16:10:31 +01:00
nikstur
8710a27bc6 nixos/profiles/perlless: init 2024-01-22 00:54:13 +01:00
Linus Heckemann
5494aa21c7
Merge pull request #273308 from Stunkymonkey/install-device-fix-mdadm
nixos/installation-device: remove warning about mdadm
2023-12-25 23:41:10 +01:00
Jeff Huffman
0863f6d2da
nixos/stub-ld: init module 2023-12-11 05:47:23 -05:00
Felix Buehler
9537527389 nixos/installation-device: remove warning about mdadm 2023-12-10 13:06:25 +01:00
Atemu
6fc4c1c40c
Merge pull request #268574 from hercules-ci/linux-builder-no-eval
darwin.linux-builder: Disable evaluation
2023-11-28 17:31:08 +01:00
Thiago Kenji Okada
e6e0787c3f
Merge pull request #256159 from YtvwlD/yama
nixos/sysctl: Stop disabling yama by default
2023-11-26 10:32:32 +00:00
Robert Hensing
f3e9d7f84b darwin.linux-builder: Disable installer tools 2023-11-19 21:33:58 +01:00
Robert Hensing
66b2913797 darwin.linux-builder: Disable evaluation
A remote builder does not need to evaluate anything, so let's trim
it down to (eventually) save some space, and make the purpose of
the builder clear.

Users should evaluate on the host instead.
2023-11-19 21:06:32 +01:00
Julian Stecklina
e8bed1eec9 nixos/profiles: add image-based-appliance profile 2023-10-28 13:26:39 +02:00
nikstur
8dfe8e447e nixos/profiles/minimal: remove some perl 2023-10-28 13:26:39 +02:00
Niklas Sombert
1ee5a5b6ed nixos/sysctl: Enable Yama by default
Yama is a LSM which restricts debugging. This prevents processes from
snooping on another. It can be easily disabled with sysctl.

This was initially included in #14392 and disabled by default by
86721a5f78.

This has been part of the hardened configuration, but many other distros
ship this for quite some time (Ubuntu for about ten years), so I'd say
it might make sense to enable this per default.
2023-10-19 21:44:12 +02:00
Robert Hensing
508c310222 darwin.linux-builder: Expose nixosConfig and nixosOptions attributes
I chose not to do nixos.{config, options} because that would make it
look too much like a configuration object, which it is not.

A configuration object I would define as for example the result of
calling NixOS, an attrset with `_type = "configuration";`.

Recreating a configuration object without evalModules is quite
feasible but not guaranteed to be correct, and not maintainable.
2023-10-12 23:10:41 +02:00
Robert Hensing
9443a0b51e darwin.linux-builder: Set meta.position 2023-10-12 22:58:50 +02:00
Will Fancher
710b96b191 systemd-stage-1: Default to full systemd build. 2023-10-04 04:21:35 -04:00
Jörg Thalheim
1f1a758e95 nixos/installation-device: allow nix-copy for root/nixos user
For non-interactive installation it's quite handy to be able to nix copy additional dependencies to the system.
While this is possible for the root user, we cannot easily ssh into it, as we don't allow root login with a password.
By making nixos a trusted user, we can do "passwd && sudo systemctl start sshd" and than run nixos-anywhere
2023-08-07 16:48:49 +02:00
Michael Hoang
1deed6cd12 linux-builder: fix eval failure 2023-07-23 18:07:48 +10:00
Linus Heckemann
c0f963a338 boot.initrd.services.swraid -> boot.swraid
Since the option affects both stage-1 and stage-2, it does not make
sense to keep it within the boot.initrd namespace.
2023-07-10 20:20:08 +02:00
Linus Heckemann
0b277bcc2b nixos/swraid: make entire module optional
swraid support will now only be enabled by default if stateVersion is
older than 23.11. nixos-generate-config will now generate explicit
config for enabling support if needed.
2023-07-10 16:39:35 +02:00
Michael Hoang
edef486898 darwin.linux-builder: rename from darwin.builder 2023-07-06 21:33:09 +10:00
Michael Hoang
34f6ce2fc2 darwin.builder: allow overriding configuration 2023-07-06 21:32:08 +10:00
Michael Hoang
98d970bc37 nixos/qemu-vm: use CA certificates from host 2023-07-06 21:32:08 +10:00
Michael Hoang
285f5e858e darwin.builder: use port 31022 by default 2023-07-06 21:32:08 +10:00
Janik
87cb1d7cd2
Merge pull request #178610 from Et7f3/headless-remove-vesa 2023-07-01 10:19:04 +02:00
Bjørn Forsman
54731a8cea nixos/installer: update getty help message
I think this is clearer.
2023-04-08 20:18:28 +02:00
Bjørn Forsman
bc3272f51e nixos/installation-device.nix: improve comment about ssh login
root is not the only user that can login (user "nixos" can too), so
generalize the wording.
2023-04-08 20:16:16 +02:00
Geraint Ballinger
8b2521bdae
nixos/darwin-builder: add disk space options (#224480) 2023-04-07 05:10:49 +02:00
Izorkin
3e3367aa6a
nixos/profiles/base: remove duplicate and optimize fsPackages 2023-03-03 23:32:48 +03:00
Izorkin
0367cc8b5a
nixos/profiles/base: remove duplicate systemPackages 2023-03-03 16:12:56 +03:00
Sandro
8986570cb3
Merge pull request #208956 from SuperSandro2000/profile-base-tcpdump 2023-01-17 01:20:31 +01:00
Matthieu Coudron
cf10d7aef8
services.openssh: support freeform settings (#193757)
* services.openssh: support freeform settings

Keep "extraConfig" but introduces "settings".

Also renames several options

(mkRenamedOptionModule [ "services" "openssh" "kbdInteractiveAuthentication" ] [  "services" "openssh" "settings" "KbdInteractiveAuthentication" ])
(mkRenamedOptionModule [ "services" "openssh" "passwordAuthentication" ] [  "services" "openssh" "settings" "PasswordAuthentication" ])
(mkRenamedOptionModule [ "services" "openssh" "useDns" ] [  "services" "openssh" "settings" "UseDns" ])
(mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [  "services" "openssh" "settings" "PermitRootLogin" ])

* updated doc
* regen doc
2023-01-15 16:32:46 +01:00
lassulus
5464e0a018 nixos/misc: add VARIANT_ID in /etc/os-release for identifying nixos installer
This is a feature useful for nixos-remote and other installation tools
that try to identify if the remote machine has been successfully booted
into an installer.
2023-01-04 19:11:41 +01:00
Gabriella Gonzalez
6d89aa8f1d
darwin.builder: auto-login as the builder user (#208772)
… as suggested by @NiklasGollenstede in:

https://github.com/NixOS/nixpkgs/pull/206951#issuecomment-1369020601

This simplifies the user experience for logging into and
debugging the machine and also simplifies the instructions for
shutting down the machine gracefully.
2023-01-03 21:12:56 -08:00
Sandro
53373b761a
nixos/profiles/base: add tcpdump 2023-01-04 01:24:47 +01:00
Winter
15013b3054
darwin.builder: prefer shutting down over halting VM (#208450)
This is preferable because it prevents things like disk corruption (requiring the user to delete the disk image when starting up) that I consistently ran into.
2023-01-02 07:36:41 -08:00
Robert Hensing
91050a9d9d nixos/macos-builder: Remove unnecessary paragraph
I was considering the broader context of stateVersion, but the
macos builder does not enable documentation, making this paragraph
a distraction.
2022-12-28 14:38:36 +01:00
Robert Hensing
62c8b5bf85 nixos/macos-builder: Simplify error message
The `system` argument is usually implied, and not hard to figure out.

Co-authored-by: Gabriella Gonzalez <Gabriel439@gmail.com>
2022-12-28 14:38:04 +01:00
Robert Hensing
30548793ab darwin.builder: Avoid unnecessary dependency on stateVersion 2022-12-28 14:37:02 +01:00
Gabriella Gonzalez
474198f808 darwin.builder: Fix gratuitous rebuilds
See the discussion starting here:

https://github.com/NixOS/nixpkgs/pull/206951#issuecomment-1364760917

The `darwin.builder` derivation had a gratuitous dependency
on the current Nixpkgs revision due to
`config.system.nixos.revision`.  Setting the revision explicitly
to null fixes this problem and prevents the derivation from being
rebuilt on every change to Nixpkgs.
2022-12-26 20:25:56 -06:00
Gabriella Gonzalez
799491feba darwin.builder: Fix system for install-credentials
The script was being mistakenly being built for the guest
system instead of the host system
2022-12-24 08:47:59 -06:00
Gabriella Gonzalez
0b9b09eee6 darwin.builder: Fix supported platforms
See: https://github.com/NixOS/nixpkgs/issues/108984#issuecomment-1364263324

Before this change the supported platforms were unspecified, so
it would default to being only built on `x86_64-linux`.  This
fixes that so that hydra.nixos.org builds and caches the Darwin
build products instead
2022-12-23 13:38:34 -06:00
Gabriella Gonzalez
edd1cbf5d4 darwin.builder: init
Fixes https://github.com/NixOS/nixpkgs/issues/108984

This originates from:

https://github.com/Gabriella439/macos-builder

… which in turn originates from:

https://github.com/YorikSar/nixos-vm-on-macos
2022-12-19 17:03:45 -08:00
Jose Cardoso
c2723da1ea
nixos/modules/profiles/base.nix: add nvme-cli 2022-12-13 15:35:05 +00:00
Izorkin
362d351845
nixos/profiles/minimal: disable udisks service 2022-12-09 13:03:49 +03:00
Izorkin
ee858454b3
nixos/profiles/minimal: disable logrotate service 2022-12-09 13:03:49 +03:00
Izorkin
df22e4124d
nixos/profiles/minimal: disable documentation 2022-12-09 13:03:38 +03:00
Maximilian Bosch
d85c685320
Merge pull request #201380 from Ma27/installer/vim-with-nix-support
nixos/profiles/base: install vim w/nix-syntax plugin
2022-12-03 16:20:08 +01:00
Maximilian Bosch
0b5a0cbc69
nixos/profiles/base: install vim w/nix-syntax plugin
Considering that you most likely edit Nix code in the installer, that
seems like a useful thing.

The size of the ISO I got from

    nix-build nixos/release.nix -A iso_minimal.x86_64-linux

is still at 877M.
2022-12-03 16:05:01 +01:00