Commit Graph

9955 Commits

Author SHA1 Message Date
Frederik Rietdijk
10afccf145 Merge staging-next into staging 2018-12-27 18:11:34 +01:00
Dmitry Kalinkin
3edd5cb227
Merge pull request #51294 from eadwu/nvidia_x11/legacy_390
nvidia: expose nvidia_x11_legacy390
2018-12-27 09:08:53 -05:00
Joachim Fasting
ea4f371627
nixos/security/misc: expose SMT control option
For the hardened profile disable symmetric multi threading.  There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however.  This is in keeping with OpenBSD
defaults.

TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation.  Write to
/sys/devices/system/cpu/smt/control
2018-12-27 15:00:49 +01:00
Joachim Fasting
e9761fa327
nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
2018-12-27 15:00:48 +01:00
Joachim Fasting
84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Joachim Fasting
9db84f6fcd
nixos/security/misc: use mkMerge for easier extension 2018-12-27 15:00:46 +01:00
Samuel Dionne-Riel
302d53df2b nixos/sd-image-aarch64-new-kernel: Added to release
This, paired with the previous commit, ensures the channel won't be held
back from a kernel upgrade and a non-building sd image, while still
having a new-kernel variant available.
2018-12-26 11:03:32 +00:00
Samuel Dionne-Riel
207210660f nixos/sd-image-aarch64: Configures it to use the default kernel 2018-12-26 11:03:32 +00:00
Frederik Rietdijk
e45ca47f14 Merge staging-next into staging 2018-12-26 09:30:32 +01:00
worldofpeace
c1599d29d9 gcr: rename from gnome3.gcr 2018-12-25 20:14:28 -05:00
worldofpeace
3f6c81da4d
Merge pull request #52592 from worldofpeace/geoclue/correct-sysconf
geoclue2: correct sysconfdir
2018-12-25 19:03:22 -05:00
worldofpeace
c65edd687f geoclue2: correct sysconfdir 2018-12-25 18:38:19 -05:00
Jan Tojnar
c45e9d0fac
Merge branch 'master' into staging 2018-12-25 17:03:57 +01:00
Sander van der Burg
a27aa247c0
Merge pull request #50596 from svanderburg/mobile-updates
Mobile updates
2018-12-24 15:52:33 +01:00
Jan Tojnar
ef935fa101
Merge branch 'master' into staging 2018-12-24 15:02:29 +01:00
zimbatm
d06f798ce7
Merge pull request #51566 from adisbladis/google-oslogin
GCE OSLogin module: init
2018-12-24 14:11:49 +01:00
Jörg Thalheim
044ff3dc66
nixos/vdr: don't delete recordings 2018-12-23 18:54:39 +01:00
Jörg Thalheim
633bc1d09b
Merge pull request #52686 from Mic92/vdr
vdr: revisited version of https://github.com/NixOS/nixpkgs/pull/32050
2018-12-23 16:19:27 +01:00
Emery Hemingway
124d8ccc69
Add IPFS warning 2018-12-22 20:04:19 +01:00
Jörg Thalheim
45986ec587
nixos/vdr: create video directory automatically 2018-12-22 15:13:35 +01:00
Christian Kögler
dd3f755cf4
vdr: initial at 2.4.0 and nixos module
used same plugin mechanism as kodi does
2018-12-22 15:13:25 +01:00
worldofpeace
94af8ebde2 nixos/displayManager: only install wayland sessions if they exist in extraSessionFilePackages
Not everyone is using wayland just yet.
2018-12-22 01:15:09 -05:00
Florian Klink
706efadcb6 nixos/modules/virtualisation/google-compute-config.nix: remove google-accounts-daemon
Use googleOsLogin for login instead.
This allows setting users.mutableUsers back to false, and to strip the
security.sudo.extraConfig.

security.sudo.enable is default anyhow, so we can remove that as well.
2018-12-21 17:52:37 +01:00
Florian Klink
04f3562fc4 config.nsswitch: load cache_oslogin and oslogin nss modules if config.security.googleOsLogin.enable is set 2018-12-21 17:52:37 +01:00
Florian Klink
c6de45c0d7 config.security.googleOsLogin: add module
The OS Login package enables the following components:
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
profile during ssh authentication phase.
NSS Module to provide user and group information
PAM Module for the sshd service, providing authorization and
authentication support, allowing the system to use data stored in
Google Cloud IAM permissions to control both, the ability to log into
an instance, and to perform operations as root (sudo).
2018-12-21 17:52:37 +01:00
Florian Klink
be5ad774bf security.pam.services.<name?>.: add googleOsLogin(AccountVerification|Authentication) 2018-12-21 17:52:37 +01:00
Florian Klink
d180bf3862 security.pam: make pam_unix.so required, not sufficient
Having pam_unix set to "sufficient" means early-succeeding account
management group, as soon as pam_unix.so is succeeding.

This is not sufficient. For example, nixos modules might install nss
modules for user lookup, so pam_unix.so succeeds, and we end the stack
successfully, even though other pam account modules might want to do
more extensive checks.

Other distros seem to set pam_unix.so to 'required', so if there are
other pam modules in that management group, they get a chance to do some
validation too.

For SSSD, @PsyanticY already added a workaround knob in
https://github.com/NixOS/nixpkgs/pull/31969, while stating this should
be the default anyway.

I did some thinking in what could break - after this commit, we require
pam_unix to succeed, means we require `getent passwd $username` to
return something.
This is the case for all local users due to the passwd nss module, and
also the case for all modules installing their nss module to
nsswitch.conf - true for ldap (if not explicitly disabled) and sssd.

I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss
module loaded? Should the pam account module be placed before pam_unix?

We don't drop the `security.pam.services.<name?>.sssdStrictAccess`
option, as it's also used some lines below to tweak error behaviour
inside the pam sssd module itself (by changing it's 'control' field).

This is also required to get admin login for Google OS Login working
(#51566), as their pam_oslogin_admin accounts module takes care of sudo
configuration.
2018-12-21 15:31:07 +01:00
Samuel Dionne-Riel
3c38cc8058
Merge pull request #51813 from samueldr/aarch64/disable-non-arm-builds-part-1
aarch64: ZHF for aarch64 (1/??)
2018-12-20 21:06:52 -05:00
Sander van der Burg
e37f0454ac Remove relatedPackages to fix ofborg evaluation 2018-12-20 19:29:00 +01:00
Maximilian Bosch
87ebc2ad0b
Merge pull request #52345 from r-ryantm/auto-update/clickhouse
clickhouse: 18.14.9 -> 18.14.18
2018-12-20 18:48:37 +01:00
Jörg Thalheim
2dd13d4ba0 nixos/glusterfs: remove unused PYTHONPATH
this directory does not exists
2018-12-20 14:54:56 +00:00
Maximilian Bosch
64d05bbdd2
clickhouse: fix module and package runtime
Although the package itself builds fine, the module fails because it
tries to log into a non-existant file in `/var/log` which breaks the
service. Patching to default config to log to stdout by default fixes
the issue. Additionally this is the better solution as NixOS heavily
relies on systemd (and thus journald) for logging.

Also, the runtime relies on `/etc/localtime` to start, as it's not
required by the module system we set UTC as sensitive default when using
the module.

To ensure that the service's basic functionality is available, a simple
NixOS test has been added.
2018-12-20 13:03:41 +01:00
Jeremy Apthorp
654c3124b2
shairport-sync: don't daemonize
This flag causes the shairport-sync server to attempt to daemonize, but it looks like systemd is already handling that. With the `-d` argument, shairport-sync immediately exits—it seems that something (systemd I'm guessing?) is sending it SIGINT or SIGTERM.

The [upstream systemd unit](https://github.com/mikebrady/shairport-sync/blob/master/scripts/shairport-sync.service.in#L10) doesn't pass `-d`.
2018-12-19 22:37:25 -08:00
Matthew Bauer
92840ab944
Merge pull request #51600 from eburimu/fix/cross-extlinux-conf-builder
extlinux-conf: fix cross compilation
2018-12-19 11:01:31 -06:00
Frederik Rietdijk
9ab61ab8e2 Merge staging-next into staging 2018-12-19 09:00:36 +01:00
Maximilian Bosch
83fe20e57f
Merge pull request #52485 from pablode/master
nixos/oh-my-zsh: fix wrong manual information
2018-12-18 23:18:27 +01:00
Sander van der Burg
8122431953 Fix adb program module 2018-12-18 21:16:07 +01:00
volth
fed7914539
Merge branch 'staging' into make-perl-pathd 2018-12-18 17:13:27 +00:00
Pablo Delgado Krämer
685c4f5608 nixos/oh-my-zsh: fix wrong manual information
Manual still refers to 'programs.ohMyZsh' although it should be 'programs.zsh.ohMyZsh'.
2018-12-18 14:31:35 +01:00
Jörg Thalheim
f2180a5367
Merge pull request #52458 from tadfisher/emacs-bash-prompt
nixos/bash: Fix prompt regression in Emacs term mode
2018-12-18 09:19:48 +00:00
markuskowa
5289fcc422
Merge pull request #47297 from greydot/bladerf
Introduce hardware/bladeRF module
2018-12-18 09:29:32 +01:00
Lana Black
7112cd8822 nixos/hardware/bladeRF: init at 2.0.2
This allows to easily enable bladerf-related udev rules with nixos
configuration.
2018-12-18 08:11:18 +00:00
Samuel Dionne-Riel
321d48d5db
Merge pull request #51397 from samueldr/feature/aarch64-uefi
installer: Adds AArch64 UEFI installer support. (Work towards SBBR and EBBR support)
2018-12-17 18:56:57 -05:00
Tad Fisher
b4b67177b5 nixos/bash: Fix prompt regression in Emacs term mode 2018-12-17 15:42:41 -08:00
Michael Peyton Jones
f64bc036a5
nixos: add XDG sounds module 2018-12-18 00:32:13 +01:00
Jan Tojnar
aacb244889
Merge pull request #51520 from michaelpj/imp/appstream
nixos: add AppStream module
2018-12-18 00:27:23 +01:00
Silvan Mosberger
9673380261
Merge pull request #52168 from cdepillabout/add-bluezFull-package
Add bluez full package
2018-12-17 03:01:49 +01:00
Satoshi Shishiku
5a93f6149a
prosody service: set cafile
Fix s2s_secure_auth.
2018-12-17 01:01:41 +01:00
Jan Tojnar
aead6e12f9
Merge remote-tracking branch 'upstream/master' into staging 2018-12-16 22:55:06 +01:00
Florian Klink
91c65721f7 owncloud: remove server
pkgs.owncloud still pointed to owncloud 7.0.15 (from May 13 2016)

Last owncloud server update in nixpkgs was in Jun 2016.
At the same time Nextcloud forked away from it, indicating users
switched over to that.

cc @matej (original maintainer)
2018-12-16 15:05:53 +01:00