Merge branch 'master' into staging

14 files changed, 155 insertions, 611 deletions

diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml
index 3abafac97378..893f894f42fe 100644
--- a/nixos/doc/manual/release-notes/rl-1609.xml
+++ b/nixos/doc/manual/release-notes/rl-1609.xml
@@ -176,7 +176,7 @@ following incompatible changes:</para>
   streamlined.  Desktop users should be able to simply set
   <programlisting>security.grsecurity.enable = true</programlisting> to get
   a reasonably secure system without having to sacrifice too much
-  functionality.  See <xref linkend="sec-grsecurity" /> for documentation
+  functionality.
   </para></listitem>
 
   <listitem><para>Special filesystems, like <literal>/proc</literal>,
diff --git a/nixos/doc/manual/release-notes/rl-1709.xml b/nixos/doc/manual/release-notes/rl-1709.xml
index 88b28c291184..c275fe46d118 100644
--- a/nixos/doc/manual/release-notes/rl-1709.xml
+++ b/nixos/doc/manual/release-notes/rl-1709.xml
@@ -184,6 +184,15 @@ rmdir /var/lib/ipfs/.ipfs
       <literal>services.xserver.libinput.enable</literal>.
     </para>
   </listitem>
+  <listitem>
+    <para>
+      grsecurity/PaX support has been dropped, following upstream's
+      decision to cease free support.  See
+      <link xlink:href="https://grsecurity.net/passing_the_baton.php">
+      upstream's announcement</link> for more information.
+      No complete replacement for grsecurity/PaX is available presently.
+    </para>
+  </listitem>
 </itemizedlist>
 
 <para>Other notable improvements:</para>
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 641a9e6095e5..cc7aa519478e 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -121,7 +121,6 @@
   ./security/chromium-suid-sandbox.nix
   ./security/dhparams.nix
   ./security/duosec.nix
-  ./security/grsecurity.nix
   ./security/hidepid.nix
   ./security/lock-kernel-modules.nix
   ./security/oath.nix
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index 6b33eeb6e4e7..fcf4c32d2778 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -124,26 +124,6 @@ with lib;
     (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ])
     (mkRemovedOptionModule [ "services" "iodined" "client" ] "")
 
-    # Grsecurity
-    (mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ] "")
-
     # Unity3D
     (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
 
diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix
index 0458ffb6c46c..be6acb3f1f53 100644
--- a/nixos/modules/security/chromium-suid-sandbox.nix
+++ b/nixos/modules/security/chromium-suid-sandbox.nix
@@ -19,9 +19,6 @@ in
 
       Also, if the URL chrome://sandbox tells you that "You are not adequately
       sandboxed!", turning this on might resolve the issue.
-
-      Finally, if you have <option>security.grsecurity</option> enabled and you
-      use Chromium, you probably need this.
     '';
   };
 
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
deleted file mode 100644
index d23c7f2e86de..000000000000
--- a/nixos/modules/security/grsecurity.nix
+++ /dev/null
@@ -1,169 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-let
-  cfg = config.security.grsecurity;
-  grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";
-
-  # Ascertain whether NixOS container support is required
-  containerSupportRequired =
-    config.boot.enableContainers && config.containers != {};
-in
-
-{
-  meta = {
-    maintainers = with maintainers; [ ];
-    doc = ./grsecurity.xml;
-  };
-
-  options.security.grsecurity = {
-
-    enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Enable grsecurity/PaX.
-      '';
-    };
-
-    lockTunables = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        Whether to automatically lock grsecurity tunables
-        (<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>).  Disable
-        this to allow runtime configuration of grsecurity features.  Activate
-        the <literal>grsec-lock</literal> service unit to prevent further
-        configuration until the next reboot.
-      '';
-    };
-
-    disableEfiRuntimeServices = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        Whether to disable access to EFI runtime services.  Enabling EFI runtime
-        services creates a venue for code injection attacks on the kernel and
-        should be disabled if at all possible.  Changing this option enters into
-        effect upon reboot.
-      '';
-    };
-
-  };
-
-  config = mkIf cfg.enable {
-
-    boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
-
-    boot.kernelParams = [ "grsec_sysfs_restrict=0" ]
-      ++ optional cfg.disableEfiRuntimeServices "noefi";
-
-    nixpkgs.config.grsecurity = true;
-
-    # Install PaX related utillities into the system profile.
-    environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ];
-
-    # Install rules for the grsec device node
-    services.udev.packages = [ pkgs.gradm ];
-
-    # This service unit is responsible for locking the grsecurity tunables.  The
-    # unit is always defined, but only activated on bootup if lockTunables is
-    # toggled.  When lockTunables is toggled, failure to activate the unit will
-    # enter emergency mode.  The intent is to make it difficult to silently
-    # enter multi-user mode without having locked the tunables.  Some effort is
-    # made to ensure that starting the unit is an idempotent operation.
-    systemd.services.grsec-lock = {
-      description = "Lock grsecurity tunables";
-
-      wantedBy = optional cfg.lockTunables "multi-user.target";
-
-      wants = [ "local-fs.target" "systemd-sysctl.service" ];
-      after = [ "local-fs.target" "systemd-sysctl.service" ];
-      conflicts = [ "shutdown.target" ];
-
-      restartIfChanged = false;
-
-      script = ''
-        if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then
-          echo -n 1 > ${grsecLockPath}
-        fi
-      '';
-
-      unitConfig = {
-        ConditionPathIsReadWrite = grsecLockPath;
-        DefaultDependencies = false;
-      } // optionalAttrs cfg.lockTunables {
-        OnFailure = "emergency.target";
-      };
-
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-      };
-    };
-
-    # Configure system tunables
-    boot.kernel.sysctl = {
-      # Read-only under grsecurity
-      "kernel.kptr_restrict" = mkForce null;
-
-      # All grsec tunables default to off, those not enabled below are
-      # *disabled*.  We use mkDefault to allow expert users to override
-      # our choices, but use mkForce where tunables would outright
-      # conflict with other settings.
-
-      # Enable all chroot restrictions by default (overwritten as
-      # necessary below)
-      "kernel.grsecurity.chroot_caps" = mkDefault 1;
-      "kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1;
-      "kernel.grsecurity.chroot_deny_chmod" = mkDefault 1;
-      "kernel.grsecurity.chroot_deny_chroot" = mkDefault 1;
-      "kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1;
-      "kernel.grsecurity.chroot_deny_mknod" = mkDefault 1;
-      "kernel.grsecurity.chroot_deny_mount" = mkDefault 1;
-      "kernel.grsecurity.chroot_deny_pivot" = mkDefault 1;
-      "kernel.grsecurity.chroot_deny_shmat" = mkDefault 1;
-      "kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1;
-      "kernel.grsecurity.chroot_deny_unix" = mkDefault 1;
-      "kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1;
-      "kernel.grsecurity.chroot_findtask" = mkDefault 1;
-      "kernel.grsecurity.chroot_restrict_nice" = mkDefault 1;
-
-      # Enable various grsec protections
-      "kernel.grsecurity.consistent_setxid" = mkDefault 1;
-      "kernel.grsecurity.deter_bruteforce" = mkDefault 1;
-      "kernel.grsecurity.fifo_restrictions" = mkDefault 1;
-      "kernel.grsecurity.harden_ipc" = mkDefault 1;
-      "kernel.grsecurity.harden_ptrace" = mkDefault 1;
-      "kernel.grsecurity.harden_tty" = mkDefault 1;
-      "kernel.grsecurity.ip_blackhole" = mkDefault 1;
-      "kernel.grsecurity.linking_restrictions" = mkDefault 1;
-      "kernel.grsecurity.ptrace_readexec" = mkDefault 1;
-
-      # Enable auditing
-      "kernel.grsecurity.audit_ptrace" = mkDefault 1;
-      "kernel.grsecurity.forkfail_logging" = mkDefault 1;
-      "kernel.grsecurity.rwxmap_logging" = mkDefault 1;
-      "kernel.grsecurity.signal_logging" = mkDefault 1;
-      "kernel.grsecurity.timechange_logging" = mkDefault 1;
-    } // optionalAttrs config.nix.useSandbox {
-      # chroot(2) restrictions that conflict with sandboxed Nix builds
-      "kernel.grsecurity.chroot_caps" = mkForce 0;
-      "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
-      "kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
-      "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
-      "kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
-    } // optionalAttrs containerSupportRequired {
-      # chroot(2) restrictions that conflict with NixOS lightweight containers
-      "kernel.grsecurity.chroot_caps" = mkForce 0;
-      "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
-      "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
-      "kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
-      # Disable privileged IO by default, unless X is enabled
-    } // optionalAttrs (!config.services.xserver.enable) {
-      "kernel.grsecurity.disable_priv_io" = mkDefault 1;
-    };
-
-  };
-}
diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml
deleted file mode 100644
index 0a884b3f9b55..000000000000
--- a/nixos/modules/security/grsecurity.xml
+++ /dev/null
@@ -1,385 +0,0 @@
-<chapter xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xmlns:xi="http://www.w3.org/2001/XInclude"
-         version="5.0"
-         xml:id="sec-grsecurity">
-
-  <title>Grsecurity/PaX</title>
-
-  <para>
-    Grsecurity/PaX is a set of patches against the Linux kernel that
-    implements an extensive suite of
-    <link xlink:href="https://grsecurity.net/features.php">features</link>
-    designed to increase the difficulty of exploiting kernel and
-    application bugs.
-  </para>
-
-  <para>
-    The NixOS grsecurity/PaX module is designed with casual users in mind and is
-    intended to be compatible with normal desktop usage, without
-    <emphasis>unnecessarily</emphasis> compromising security.  The
-    following sections describe the configuration and administration of
-    a grsecurity/PaX enabled NixOS system.  For more comprehensive
-    coverage, please refer to the
-    <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
-    and the
-    <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
-    Linux wiki page on grsecurity</link>.
-
-    <warning><para>Upstream has ceased free support for grsecurity/PaX.  See
-    <link xlink:href="https://grsecurity.net/passing_the_baton.php">
-    the announcement</link> for more information.  Consequently, NixOS
-    support for grsecurity/PaX also must cease.  Enabling this module will
-    result in a build error.</para></warning>
-    <note><para>We standardise on a desktop oriented configuration primarily due
-    to lack of resources.  The grsecurity/PaX configuration state space is huge
-    and each configuration requires quite a bit of testing to ensure that the
-    resulting packages work as advertised.  Defining additional package sets
-    would likely result in a large number of functionally broken packages, to
-    nobody's benefit.</para></note>
-  </para>
-
-  <sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
-
-  <para>
-    To make use of grsecurity/PaX on NixOS, add the following to your
-    <filename>configuration.nix</filename>:
-    <programlisting>
-      security.grsecurity.enable = true;
-    </programlisting>
-    followed by
-    <programlisting>
-      # nixos-rebuild boot
-      # reboot
-    </programlisting>
-    <note><para>
-      Enabling the grsecurity module overrides
-      <option>boot.kernelPackages</option>, to reduce the risk of
-      misconfiguration.  <xref linkend="sec-grsec-custom-kernel" />
-      describes how to use a custom kernel package set.
-    </para></note>
-
-    For most users, further configuration should be unnecessary.  All users
-    are encouraged to look over <xref linkend="sec-grsec-security" /> before
-    using the system, however.  If you experience problems, please refer to
-    <xref linkend="sec-grsec-issues" />.
-  </para>
-
-  <para>
-    Once booted into the new system, you can optionally use
-    <command>paxtest</command> to exercise various PaX features:
-    <screen><![CDATA[
-    # nix-shell -p paxtest --command 'paxtest blackhat'
-    Executable anonymous mapping             : Killed
-    Executable bss                           : Killed
-    # ... remaining output truncated for brevity
-    ]]></screen>
-  </para>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-declarative-tuning"><title>Declarative tuning</title>
-
-  <para>
-    The default configuration mode is strictly declarative.  Some features
-    simply cannot be changed at all after boot, while others are locked once the
-    system is up and running.  Moreover, changes to the configuration enter
-    into effect only upon booting into the new system.
-  </para>
-
-  <para>
-    The NixOS module exposes a limited number of options for tuning the behavior
-    of grsecurity/PaX.  These are options thought to be of particular interest
-    to most users.  For experts, further tuning is possible via
-    <option>boot.kernelParams</option> (see
-    <xref linkend="sec-grsec-kernel-params" />) and
-    <option>boot.kernel.sysctl."kernel.grsecurity.*"</option> (the wikibook
-    contains an <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Sysctl_Options">
-    exhaustive listing of grsecurity sysctl tunables</link>).
-  </para>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-manual-tuning"><title>Manual tuning</title>
-
-  <para>
-    To permit manual tuning of grsecurity runtime parameters, set:
-    <programlisting>
-      security.grsecurity.lockTunables = false;
-    </programlisting>
-    Once booted into this system, grsecurity features that have a corresponding
-    sysctl tunable can be changed without rebooting, either by switching into
-    a new system profile or via the <command>sysctl</command> utility.
-  </para>
-
-  <para>
-    To lock all grsecurity tunables until the next boot, do:
-    <screen>
-      # systemctl start grsec-lock
-    </screen>
-  </para>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-security"><title>Security considerations</title>
-
-  <para>
-    The NixOS kernel is built using upstream's recommended settings for a
-    desktop deployment that generally favours security over performance.  This
-    section details deviations from upstream's recommendations that may
-    compromise security.
-
-    <warning><para>There may be additional problems not covered here!</para>
-    </warning>
-  </para>
-
-  <itemizedlist>
-
-    <listitem><para>
-      The following hardening features are disabled in the NixOS kernel:
-      <itemizedlist>
-        <listitem><para>Kernel symbol hiding: rendered useless by redistributing
-        kernel objects.</para></listitem>
-
-        <listitem><para>Randomization of kernel structures: rendered useless by
-        redistributing kernel objects.</para></listitem>
-
-        <listitem><para>TCP simultaneous OPEN connection is permitted: breaking
-        strict TCP conformance is inappropriate for a general purpose kernel.
-        The trade-off is that an attacker may be able to deny outgoing
-        connections if they are able to guess the source port allocated by your
-        OS for that connection <emphasis>and</emphasis> also manage to initiate
-        a TCP simultaneous OPEN on that port before the connection is actually
-        established.</para></listitem>
-
-        <listitem><para>Trusted path execution: a desirable feature, but
-        requires some more work to operate smoothly on NixOS.</para></listitem>
-      </itemizedlist>
-    </para></listitem>
-
-    <listitem><para>
-      The NixOS module conditionally weakens <command>chroot</command>
-      restrictions to accommodate NixOS lightweight containers and sandboxed Nix
-      builds.  This can be problematic if the deployment also runs privileged
-      network facing processes that <emphasis>rely</emphasis> on
-      <command>chroot</command> for isolation.
-    </para></listitem>
-
-    <listitem><para>
-      The NixOS kernel is patched to allow usermode helpers from anywhere in the
-      Nix store.  A usermode helper is an executable called by the kernel in
-      certain circumstances, e.g., <command>modprobe</command>.  Vanilla
-      grsecurity only allows usermode helpers from paths typically owned by the
-      super user.  The NixOS kernel allows an attacker to inject malicious code
-      into the Nix store which could then be executed by the kernel as a
-      usermode helper.
-    </para></listitem>
-
-    <listitem><para>
-      The following features are disabled because they overlap with
-      vanilla kernel mechanisms:
-
-      <itemizedlist>
-        <listitem><para><filename class="directory">/proc</filename> hardening:
-        use <option>security.hideProcessInformation</option> instead.  This
-        trades weaker protection for greater compatibility.
-        </para></listitem>
-
-        <listitem><para><command>dmesg</command> restrictions:
-        use <option>boot.kernel.sysctl."kernel.dmesg_restrict"</option> instead
-        </para></listitem>
-      </itemizedlist>
-    </para></listitem>
-
-  </itemizedlist>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-custom-kernel"><title>Using a custom grsecurity/PaX kernel</title>
-
-  <para>
-    The NixOS kernel is likely to be either too permissive or too restrictive
-    for many deployment scenarios.  In addition to producing a kernel more
-    suitable for a particular deployment, a custom kernel may improve security
-    by depriving an attacker the ability to study the kernel object code, adding
-    yet more guesswork to successfully carry out certain exploits.
-  </para>
-
-  <para>
-    To build a custom kernel using upstream's recommended settings for server
-    deployments, while still using the NixOS module:
-    <programlisting>
-      nixpkgs.config.packageOverrides = super: {
-        linux_grsec_nixos = super.linux_grsec_nixos.override {
-          extraConfig = ''
-            GRKERNSEC_CONFIG_AUTO y
-            GRKERNSEC_CONFIG_SERVER y
-            GRKERNSEC_CONFIG_SECURITY y
-          '';
-        };
-      };
-    </programlisting>
-  </para>
-
-  <para>
-    The grsecurity/PaX wikibook provides an exhaustive listing of
-    <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
-  </para>
-
-  <para>
-    The NixOS module makes several assumptions about the kernel and so
-    may be incompatible with your customised kernel. Currently, the only way
-    to work around these incompatibilities is to eschew the NixOS
-    module.
-  </para>
-
-  <para>
-    If not using the NixOS module, a custom grsecurity package set can
-    be specified inline instead, as in
-    <programlisting>
-      boot.kernelPackages =
-        let
-          kernel = pkgs.linux_grsec_nixos.override {
-            extraConfig = /* as above */;
-          };
-          self = pkgs.linuxPackagesFor kernel self;
-        in self;
-    </programlisting>
-  </para>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-pax-flags"><title>Per-executable PaX flags</title>
-
-  <para>
-    Manual tuning of per-file PaX flags for executables in the Nix store is
-    impossible on a properly configured system.  If a package in Nixpkgs fails
-    due to PaX, that is a bug in the package recipe and should be reported to
-    the maintainer (including relevant <command>dmesg</command> output).
-  </para>
-
-  <para>
-    For executables installed outside of the Nix store, PaX flags can be set
-    using the <command>paxctl</command> utility:
-    <programlisting>
-      paxctl -czem <replaceable>foo</replaceable>
-    </programlisting>
-
-    <warning>
-      <para><command>paxctl</command> overwrites files in-place.</para>
-    </warning>
-
-    Equivalently, on file systems that support extended attributes:
-    <programlisting>
-      setfattr -n user.pax.flags -v em <replaceable>foo</replaceable>
-    </programlisting>
-
-    <!-- TODO: PaX flags via RBAC policy -->
-  </para>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title>
-
-  <itemizedlist>
-    <listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>:
-    consequently, unprivileged namespaces are unsupported. Applications that
-    rely on namespaces for sandboxing must use a privileged helper. For chromium
-    there is <option>security.chromiumSuidSandbox.enable</option>.</para></listitem>
-
-    <listitem><para>Access to EFI runtime services is disabled by default:
-    this plugs a potential code injection attack vector; use
-    <option>security.grsecurity.disableEfiRuntimeServices</option> to override
-    this behavior.</para></listitem>
-
-    <listitem><para>User initiated autoloading of modules (e.g., when
-    using fuse or loop devices) is disallowed; either load requisite modules
-    as root or add them to <option>boot.kernelModules</option>.</para></listitem>
-
-    <listitem><para>Virtualization: KVM is the preferred virtualization
-    solution. Xen, Virtualbox, and VMWare are
-    <emphasis>unsupported</emphasis> and most likely require a custom kernel.
-    </para></listitem>
-
-    <listitem><para>
-      Attaching <command>gdb</command> to a running process is disallowed by
-      default: unprivileged users can only ptrace processes that are children of
-      the ptracing process.  To relax this restriction, set
-      <programlisting>
-        boot.kernel.sysctl."kernel.grsecurity.harden_ptrace" = 0;
-      </programlisting>
-    </para></listitem>
-
-    <listitem><para>
-      Overflows in boot critical code (e.g., the root filesystem module) can
-      render the system unbootable.  Work around by setting
-      <programlisting>
-        boot.kernelParams = [ "pax_size_overflow_report_only" ];
-      </programlisting>
-    </para></listitem>
-
-    <listitem><para>
-      The <citerefentry><refentrytitle>modify_ldt
-      </refentrytitle><manvolnum>2</manvolnum></citerefentry> syscall is disabled
-      by default.  This restriction can interfere with programs designed to run
-      legacy 16-bit or segmented 32-bit code.  To support applications that rely
-      on this syscall, set
-      <programlisting>
-        boot.kernel.sysctl."kernel.modify_ldt" = 1;
-      </programlisting>
-    </para></listitem>
-
-    <listitem><para>
-      The gitlab service (<xref linkend="module-services-gitlab" />)
-      requires a variant of the <literal>ruby</literal> interpreter
-      built without `mprotect()` hardening, as in
-      <programlisting>
-        services.gitlab.packages.gitlab = pkgs.gitlab.override {
-          ruby = pkgs.ruby.overrideAttrs (attrs: {
-            postFixup = "paxmark m $out/bin/ruby";
-          });
-        };
-      </programlisting>
-    </para></listitem>
-
-  </itemizedlist>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-kernel-params"><title>Grsecurity/PaX kernel parameters</title>
-
-  <para>
-    The NixOS kernel supports the following kernel command line parameters:
-    <itemizedlist>
-      <listitem><para>
-        <literal>pax_nouderef</literal>: disable UDEREF (separate kernel and
-        user address spaces).
-      </para></listitem>
-
-      <listitem><para>
-        <literal>pax_weakuderef</literal>: enable a faster but
-        weaker variant of UDEREF on 64-bit processors with PCID support
-        (check <code>grep pcid /proc/cpuinfo</code>).
-      </para></listitem>
-
-      <listitem><para>
-        <literal>pax_sanitize_slab={off|fast|full}</literal>: control kernel
-        slab object sanitization. Defaults to <literal>fast</literal>
-      </para></listitem>
-
-      <listitem><para>
-        <literal>pax_size_overflow_report_only</literal>: log size overflow
-        violations but leave the violating task running
-      </para></listitem>
-
-      <listitem><para>
-        <literal>grsec_sysfs_restrict=[0|1]</literal>: toggle sysfs
-        restrictions. The NixOS module sets this to <literal>0</literal>
-        for systemd compatibility
-      </para></listitem>
-    </itemizedlist>
-  </para>
-
-  </sect1>
-
-</chapter>
diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix
index fcc0f58637c4..43fec5ff5bb2 100644
--- a/nixos/modules/services/continuous-integration/hydra/default.nix
+++ b/nixos/modules/services/continuous-integration/hydra/default.nix
@@ -270,8 +270,8 @@ in
 
           ${optionalString haveLocalDB ''
             if ! [ -e ${baseDir}/.db-created ]; then
-              ${config.services.postgresql.package}/bin/createuser hydra
-              ${config.services.postgresql.package}/bin/createdb -O hydra hydra
+              ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createuser hydra
+              ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createdb -O hydra hydra
               touch ${baseDir}/.db-created
             fi
           ''}
diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index d06e03a52978..1bbab3296005 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -38,9 +38,6 @@ let
 
   pre84 = versionOlder (builtins.parseDrvName postgresql.name).version "8.4";
 
-  # NixOS traditionally used `root` as superuser, most other distros use `postgres`. From 17.09
-  # we also try to follow this standard
-  superuser = (if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root");
 
 in
 
@@ -151,6 +148,16 @@ in
           Contents of the <filename>recovery.conf</filename> file.
         '';
       };
+      superUser = mkOption {
+        type = types.str;
+        default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root";
+        internal = true;
+        description = ''
+          NixOS traditionally used `root` as superuser, most other distros use `postgres`.
+          From 17.09 we also try to follow this standard. Internal since changing this value
+          would lead to breakage while setting up databases.
+        '';
+        };
     };
 
   };
@@ -215,7 +222,7 @@ in
           ''
             # Initialise the database.
             if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              initdb -U ${superuser}
+              initdb -U ${cfg.superUser}
               # See postStart!
               touch "${cfg.dataDir}/.first_startup"
             fi
@@ -247,14 +254,14 @@ in
         # Wait for PostgreSQL to be ready to accept connections.
         postStart =
           ''
-            while ! ${pkgs.sudo}/bin/sudo -u ${superuser} psql --port=${toString cfg.port} -d postgres -c "" 2> /dev/null; do
+            while ! ${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql --port=${toString cfg.port} -d postgres -c "" 2> /dev/null; do
                 if ! kill -0 "$MAINPID"; then exit 1; fi
                 sleep 0.1
             done
 
             if test -e "${cfg.dataDir}/.first_startup"; then
               ${optionalString (cfg.initialScript != null) ''
-                ${pkgs.sudo}/bin/sudo -u ${superuser} psql -f "${cfg.initialScript}" --port=${toString cfg.port} -d postgres
+                ${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql -f "${cfg.initialScript}" --port=${toString cfg.port} -d postgres
               ''}
               rm -f "${cfg.dataDir}/.first_startup"
             fi
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
index ccc1854d2548..fcb7aaa62716 100644
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@@ -10,10 +10,12 @@ let
   ruby = cfg.packages.gitlab.ruby;
   bundler = pkgs.bundler;
 
-  gemHome = "${cfg.packages.gitlab.env}/${ruby.gemPath}";
+  gemHome = "${cfg.packages.gitlab.ruby-env}/${ruby.gemPath}";
 
   gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket";
+  gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket";
   pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url;
+  pgSuperUser = config.services.postgresql.superUser;
 
   databaseYml = ''
     production:
@@ -25,6 +27,17 @@ let
       encoding: utf8
   '';
 
+  gitalyToml = pkgs.writeText "gitaly.toml" ''
+    socket_path = "${lib.escape ["\""] gitalySocket}"
+    # prometheus metrics
+
+    ${concatStringsSep "\n" (attrValues (mapAttrs (k: v: ''
+    [[storage]]
+    name = "${lib.escape ["\""] k}"
+    path = "${lib.escape ["\""] v.path}"
+    '') gitlabConfig.production.repositories.storages))}
+  '';
+
   gitlabShellYml = ''
     user: ${cfg.user}
     gitlab_url: "http+unix://${pathUrlQuote gitlabSocket}"
@@ -46,6 +59,7 @@ let
       secret_key_base: ${cfg.secrets.secret}
       otp_key_base: ${cfg.secrets.otp}
       db_key_base: ${cfg.secrets.db}
+      jws_private_key: ${builtins.toJSON cfg.secrets.jws}
   '';
 
   gitlabConfig = {
@@ -69,7 +83,8 @@ let
           container_registry = true;
         };
       };
-      repositories.storages.default = "${cfg.statePath}/repositories";
+      repositories.storages.default.path = "${cfg.statePath}/repositories";
+      repositories.storages.default.gitaly_address = "unix:${gitalySocket}";
       artifacts.enabled = true;
       lfs.enabled = true;
       gravatar.enabled = true;
@@ -105,9 +120,9 @@ let
     GITLAB_UPLOADS_PATH = "${cfg.statePath}/uploads";
     GITLAB_LOG_PATH = "${cfg.statePath}/log";
     GITLAB_SHELL_PATH = "${cfg.packages.gitlab-shell}";
-    GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/shell/config.yml";
+    GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/home/config.yml";
     GITLAB_SHELL_SECRET_PATH = "${cfg.statePath}/config/gitlab_shell_secret";
-    GITLAB_SHELL_HOOKS_PATH = "${cfg.statePath}/shell/hooks";
+    GITLAB_SHELL_HOOKS_PATH = "${cfg.statePath}/home/hooks";
     RAILS_ENV = "production";
   };
 
@@ -115,15 +130,15 @@ let
 
   gitlab-rake = pkgs.stdenv.mkDerivation rec {
     name = "gitlab-rake";
-    buildInputs = [ cfg.packages.gitlab cfg.packages.gitlab.env pkgs.makeWrapper ];
+    buildInputs = [ cfg.packages.gitlab cfg.packages.gitlab.ruby-env pkgs.makeWrapper ];
     phases = "installPhase fixupPhase";
     buildPhase = "";
     installPhase = ''
       mkdir -p $out/bin
-      makeWrapper ${cfg.packages.gitlab.env}/bin/bundle $out/bin/gitlab-bundle \
+      makeWrapper ${cfg.packages.gitlab.ruby-env}/bin/bundle $out/bin/gitlab-bundle \
           ${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \
           --set GITLAB_CONFIG_PATH '${cfg.statePath}/config' \
-          --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip config.services.postgresql.package ]}:$PATH' \
+          --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package ]}:$PATH' \
           --set RAKEOPT '-f ${cfg.packages.gitlab}/share/gitlab/Rakefile' \
           --run 'cd ${cfg.packages.gitlab}/share/gitlab'
       makeWrapper $out/bin/gitlab-bundle $out/bin/gitlab-rake \
@@ -182,6 +197,13 @@ in {
         description = "Reference to the gitlab-workhorse package";
       };
 
+      packages.gitaly = mkOption {
+        type = types.package;
+        default = pkgs.gitaly;
+        defaultText = "pkgs.gitaly";
+        description = "Reference to the gitaly package";
+      };
+
       statePath = mkOption {
         type = types.str;
         default = "/var/gitlab/state";
@@ -359,6 +381,19 @@ in {
         '';
       };
 
+      secrets.jws = mkOption {
+        type = types.str;
+        description = ''
+          The secret is used to encrypt session keys. If you change or lose
+          this key, users will be disconnected.
+
+          Make sure the secret is an RSA private key in PEM format. You can
+          generate one with
+
+          openssl genrsa 2048openssl genpkey -algorithm RSA -out - -pkeyopt rsa_keygen_bits:2048
+        '';
+      };
+
       extraConfig = mkOption {
         type = types.attrs;
         default = {};
@@ -428,7 +463,24 @@ in {
         TimeoutSec = "300";
         Restart = "on-failure";
         WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
-        ExecStart="${cfg.packages.gitlab.env}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
+        ExecStart="${cfg.packages.gitlab.ruby-env}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
+      };
+    };
+
+    systemd.services.gitaly = {
+      after = [ "network.target" "gitlab.service" ];
+      wantedBy = [ "multi-user.target" ];
+      environment.HOME = gitlabEnv.HOME;
+      path = with pkgs; [ gitAndTools.git ];
+      serviceConfig = {
+        #PermissionsStartOnly = true; # preStart must be run as root
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        TimeoutSec = "300";
+        Restart = "on-failure";
+        WorkingDirectory = gitlabEnv.HOME;
+        ExecStart = "${cfg.packages.gitaly}/bin/gitaly ${gitalyToml}";
       };
     };
 
@@ -477,6 +529,7 @@ in {
         gitAndTools.git
         openssh
         nodejs
+        procps
       ];
       preStart = ''
         mkdir -p ${cfg.backupPath}
@@ -486,12 +539,11 @@ in {
         mkdir -p ${gitlabConfig.production.shared.path}/lfs-objects
         mkdir -p ${gitlabConfig.production.shared.path}/pages
         mkdir -p ${cfg.statePath}/log
-        mkdir -p ${cfg.statePath}/shell
         mkdir -p ${cfg.statePath}/tmp/pids
         mkdir -p ${cfg.statePath}/tmp/sockets
 
-        rm -rf ${cfg.statePath}/config ${cfg.statePath}/shell/hooks
-        mkdir -p ${cfg.statePath}/config ${cfg.statePath}/shell
+        rm -rf ${cfg.statePath}/config ${cfg.statePath}/home/hooks
+        mkdir -p ${cfg.statePath}/config
 
         tr -dc A-Za-z0-9 < /dev/urandom | head -c 32 > ${cfg.statePath}/config/gitlab_shell_secret
 
@@ -507,7 +559,6 @@ in {
         mkdir -p ${gitlabEnv.HOME}/.ssh
         touch ${gitlabEnv.HOME}/.ssh/authorized_keys
         chown -R ${cfg.user}:${cfg.group} ${gitlabEnv.HOME}/
-        chmod -R u+rwX,go-rwx+X ${gitlabEnv.HOME}/
 
         cp -rf ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config
         ${optionalString cfg.smtp.enable ''
@@ -532,14 +583,14 @@ in {
 
         if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
           if ! test -e "${cfg.statePath}/db-created"; then
-            psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
-            ${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName} || true
+            ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${cfg.databasePassword}'"
+            ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} ${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName}
             touch "${cfg.statePath}/db-created"
           fi
         fi
 
         # enable required pg_trgm extension for gitlab
-        psql gitlab -c "CREATE EXTENSION IF NOT EXISTS pg_trgm"
+        ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql gitlab -c "CREATE EXTENSION IF NOT EXISTS pg_trgm"
         # Always do the db migrations just to be sure the database is up-to-date
         ${gitlab-rake}/bin/gitlab-rake db:migrate RAILS_ENV=production
 
@@ -555,7 +606,8 @@ in {
         # Change permissions in the last step because some of the
         # intermediary scripts like to create directories as root.
         chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}
-        chmod -R u+rwX,go-rwx+X ${cfg.statePath}
+        chmod -R ug+rwX,o-rwx+X ${cfg.statePath}
+        chmod -R u+rwX,go-rwx+X ${gitlabEnv.HOME}
       '';
 
       serviceConfig = {
@@ -566,7 +618,7 @@ in {
         TimeoutSec = "300";
         Restart = "on-failure";
         WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
-        ExecStart = "${cfg.packages.gitlab.env}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\"";
+        ExecStart = "${cfg.packages.gitlab.ruby-env}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\"";
       };
 
     };
diff --git a/nixos/modules/services/torrent/deluge.nix b/nixos/modules/services/torrent/deluge.nix
index 1ea6bf88d7ae..ec1e97f4125e 100644
--- a/nixos/modules/services/torrent/deluge.nix
+++ b/nixos/modules/services/torrent/deluge.nix
@@ -57,7 +57,7 @@ in {
       after = [ "network.target" ];
       description = "Deluge BitTorrent WebUI";
       wantedBy = [ "multi-user.target" ];
-      path = [ pkgs.pythonPackages.deluge ];
+      path = [ pkgs.deluge ];
       serviceConfig.ExecStart = "${pkgs.deluge}/bin/deluge --ui web";
       serviceConfig.User = "deluge";
       serviceConfig.Group = "deluge";
diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix
index 1230d9cf534d..7a95ac6549d8 100644
--- a/nixos/modules/services/x11/desktop-managers/mate.nix
+++ b/nixos/modules/services/x11/desktop-managers/mate.nix
@@ -60,10 +60,7 @@ in
       '';
     };
 
-    environment.systemPackages = [
-      pkgs.hicolor_icon_theme
-      pkgs.mate.mate-icon-theme
-    ]  ++
+    environment.systemPackages =
       pkgs.mate.basePackages ++
       (removePackagesByName
         pkgs.mate.extraPackages
diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
index 779005c0df52..3333569c36be 100644
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
@@ -12,6 +12,9 @@ import warnings
 import ctypes
 libc = ctypes.CDLL("libc.so.6")
 import re
+import datetime
+import glob
+import os.path
 
 def copy_if_not_exists(source, dest):
     if not os.path.exists(dest):
@@ -24,7 +27,7 @@ def system_dir(profile, generation):
         return "/nix/var/nix/profiles/system-%d-link" % (generation)
 
 BOOT_ENTRY = """title NixOS{profile}
-version Generation {generation}
+version Generation {generation} {description}
 linux {kernel}
 initrd {initrd}
 options {kernel_params}
@@ -54,6 +57,26 @@ def copy_from_profile(profile, generation, name, dry_run=False):
         copy_if_not_exists(store_file_path, "@efiSysMountPoint@%s" % (efi_file_path))
     return efi_file_path
 
+def describe_generation(generation_dir):
+    try:
+        with open("%s/nixos-version" % generation_dir) as f:
+            nixos_version = f.read()
+    except IOError:
+        nixos_version = "Unknown"
+
+    kernel_dir = os.path.dirname(os.path.realpath("%s/kernel" % generation_dir))
+    module_dir = glob.glob("%s/lib/modules/*" % kernel_dir)[0]
+    kernel_version = os.path.basename(module_dir)
+
+    build_time = int(os.path.getctime(generation_dir))
+    build_date = datetime.datetime.fromtimestamp(build_time).strftime('%F')
+
+    description = "NixOS {}, Linux Kernel {}, Built on {}".format(
+        nixos_version, kernel_version, build_date
+    )
+
+    return description
+
 def write_entry(profile, generation, machine_id):
     kernel = copy_from_profile(profile, generation, "kernel")
     initrd = copy_from_profile(profile, generation, "initrd")
@@ -69,6 +92,7 @@ def write_entry(profile, generation, machine_id):
     generation_dir = os.readlink(system_dir(profile, generation))
     tmp_path = "%s.tmp" % (entry_file)
     kernel_params = "systemConfig=%s init=%s/init " % (generation_dir, generation_dir)
+
     with open("%s/kernel-params" % (generation_dir)) as params_file:
         kernel_params = kernel_params + params_file.read()
     with open(tmp_path, 'w') as f:
@@ -76,7 +100,8 @@ def write_entry(profile, generation, machine_id):
                     generation=generation,
                     kernel=kernel,
                     initrd=initrd,
-                    kernel_params=kernel_params))
+                    kernel_params=kernel_params,
+                    description=describe_generation(generation_dir)))
         if machine_id is not None:
             f.write("machine-id %s\n" % machine_id)
     os.rename(tmp_path, entry_file)
diff --git a/nixos/tests/hydra.nix b/nixos/tests/hydra.nix
new file mode 100644
index 000000000000..6abd7a5ad300
--- /dev/null
+++ b/nixos/tests/hydra.nix
@@ -0,0 +1,32 @@
+import ./make-test.nix ({ pkgs, ...} : {
+  name = "hydra-init-localdb";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ pstn ];
+  };
+
+  machine =
+    { config, pkgs, ... }:
+
+    {
+      services.hydra = {
+        enable = true;
+
+        #Hydra needs those settings to start up, so we add something not harmfull.
+        hydraURL = "example.com";
+        notificationSender = "example@example.com";
+      };
+    };
+
+  testScript =
+    ''
+      # let the system boot up
+      $machine->waitForUnit("multi-user.target");
+      # test whether the database is running
+      $machine->succeed("systemctl status postgresql.service");
+      # test whether the actual hydra daemons are running
+      $machine->succeed("systemctl status hydra-queue-runner.service");
+      $machine->succeed("systemctl status hydra-init.service");
+      $machine->succeed("systemctl status hydra-evaluator.service");
+      $machine->succeed("systemctl status hydra-send-stats.service");
+     '';
+})