| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
`system.forbiddenDependenciesRegexes`
and turn it in to a list.
The current setting of system.forbiddenDependenciesRegex is a string, meaning only one such regex as any additional setting would result in conflicts.
As maintainers have already started using this setting eg. in profiles, it would be good if this setting would accept a list of regex to allow the end
user to make use of it in addition to package maintainers.
|
|
|
|
|
|
|
|
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
|
|
darwin.linux-builder: Exit scripts on error
|
|
It's simpledrm now and it's compiled in.
|
|
For example, if the user decided to ctrl-c upon getting the sudo
password prompt, the script previously continued on to start the VM, but
that should not be the case.
|
|
Borrowing from here to match hardened profile with more recent kernels:
* https://madaidans-insecurities.github.io/guides/linux-hardening.html?#boot-parameters
* https://github.com/a13xp0p0v/kernel-hardening-checker/
Removed "slub_debug" as that option disables kernel memory address
hashing. You also see a big warning about this in the dmesg:
"This system shows unhashed kernel memory addresses via the console, logs, and other interfaces."
"init_on_alloc=1" and "init_on_free=1" zeroes all SLAB and SLUB allocations. Introduced in 6471384af2a6530696fc0203bafe4de41a23c9ef. Also the default for the Android Google kernel btw. It is on by default through the KConfig.
"slab_nomerge" prevents the merging of slab/slub caches. These are
effectively slab/slub pools.
"LEGACY_VSYSCALL_NONE" disables the older vsyscall mechanic that relies on
static address. It got superseeded by vdsos a decade ago. Read some
LWN.net to learn more ;)
"debugfs=off" I'm sure there are some few userspace programs that rely on
debugfs, but they shouldn't.
Most other things mentioned on the blog where already the default on a
running machine or may not be applicable.
Most other Kconfigs changes come from the kernel hardening checker and
were added, when they were not applied to the kernel already.
Unsure about CONFIG_STATIC_USERMODEHELPER. Would need testing.
|
|
nixos/installation-device: enable polkit
|
|
Polkit enables running 'reboot' and 'poweroff' in the installer without
being root, and non-root is the default login for a few NixOS releases
now.
There's no size increase in the minimal ISO:
$ git checkout nixpkgs-unstable
$ nix-build -A config.system.build.isoImage -I nixos-config=nixos/modules/installer/cd-dvd/installation-cd-minimal.nix nixos/default.nix && du -sc ./result/iso/*.iso
/nix/store/bfvbvrrqjmnqqhyqyxc0w32gagdz2rya-nixos-24.05.git.1149dab64e7-x86_64-linux.iso
998404 ./result/iso/nixos-24.05.git.1149dab64e7-x86_64-linux.iso
998404 total
$ git checkout THIS_COMMIT
$ nix-build -A config.system.build.isoImage -I nixos-config=nixos/modules/installer/cd-dvd/installation-cd-minimal.nix nixos/default.nix && du -sc ./result/iso/*.iso
/nix/store/l9x9rwlvfddnri70h1ifx865q0cvka5l-nixos-24.05.git.1149dab64e7-x86_64-linux.iso
998404 ./result/iso/nixos-24.05.git.1149dab64e7-x86_64-linux.iso
998404 total
|
|
|
|
nixos/installation-device: remove warning about mdadm
|
|
|
|
|
|
darwin.linux-builder: Disable evaluation
|
|
nixos/sysctl: Stop disabling yama by default
|
|
|
|
A remote builder does not need to evaluate anything, so let's trim
it down to (eventually) save some space, and make the purpose of
the builder clear.
Users should evaluate on the host instead.
|
|
|
|
|
|
Yama is a LSM which restricts debugging. This prevents processes from
snooping on another. It can be easily disabled with sysctl.
This was initially included in #14392 and disabled by default by
86721a5f78718caf10c578e9501f8b4d19c0eb44.
This has been part of the hardened configuration, but many other distros
ship this for quite some time (Ubuntu for about ten years), so I'd say
it might make sense to enable this per default.
|
|
I chose not to do nixos.{config, options} because that would make it
look too much like a configuration object, which it is not.
A configuration object I would define as for example the result of
calling NixOS, an attrset with `_type = "configuration";`.
Recreating a configuration object without evalModules is quite
feasible but not guaranteed to be correct, and not maintainable.
|
|
|
|
|
|
For non-interactive installation it's quite handy to be able to nix copy additional dependencies to the system.
While this is possible for the root user, we cannot easily ssh into it, as we don't allow root login with a password.
By making nixos a trusted user, we can do "passwd && sudo systemctl start sshd" and than run nixos-anywhere
|
|
|
|
Since the option affects both stage-1 and stage-2, it does not make
sense to keep it within the boot.initrd namespace.
|
|
swraid support will now only be enabled by default if stateVersion is
older than 23.11. nixos-generate-config will now generate explicit
config for enabling support if needed.
|
|
|
|
|
|
|
|
|
|
|
|
I think this is clearer.
|
|
root is not the only user that can login (user "nixos" can too), so
generalize the wording.
|
|
|
|
|
|
|
|
|
|
* services.openssh: support freeform settings
Keep "extraConfig" but introduces "settings".
Also renames several options
(mkRenamedOptionModule [ "services" "openssh" "kbdInteractiveAuthentication" ] [ "services" "openssh" "settings" "KbdInteractiveAuthentication" ])
(mkRenamedOptionModule [ "services" "openssh" "passwordAuthentication" ] [ "services" "openssh" "settings" "PasswordAuthentication" ])
(mkRenamedOptionModule [ "services" "openssh" "useDns" ] [ "services" "openssh" "settings" "UseDns" ])
(mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [ "services" "openssh" "settings" "PermitRootLogin" ])
* updated doc
* regen doc
|
|
This is a feature useful for nixos-remote and other installation tools
that try to identify if the remote machine has been successfully booted
into an installer.
|
|
… as suggested by @NiklasGollenstede in:
https://github.com/NixOS/nixpkgs/pull/206951#issuecomment-1369020601
This simplifies the user experience for logging into and
debugging the machine and also simplifies the instructions for
shutting down the machine gracefully.
|
|
|
|
This is preferable because it prevents things like disk corruption (requiring the user to delete the disk image when starting up) that I consistently ran into.
|
|
I was considering the broader context of stateVersion, but the
macos builder does not enable documentation, making this paragraph
a distraction.
|
|
The `system` argument is usually implied, and not hard to figure out.
Co-authored-by: Gabriella Gonzalez <Gabriel439@gmail.com>
|
|
|
|
See the discussion starting here:
https://github.com/NixOS/nixpkgs/pull/206951#issuecomment-1364760917
The `darwin.builder` derivation had a gratuitous dependency
on the current Nixpkgs revision due to
`config.system.nixos.revision`. Setting the revision explicitly
to null fixes this problem and prevents the derivation from being
rebuilt on every change to Nixpkgs.
|
|
The script was being mistakenly being built for the guest
system instead of the host system
|
