diff options
| author | Alyssa Ross <hi@alyssa.is> | 2019-08-22 13:47:37 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2019-08-22 18:22:22 +0000 |
| commit | 1b9a13c4689af7e088eb7af5589f8c811282846a (patch) | |
| tree | 3ed032953008280fb94ef894c869ff3e2a2f7865 /nixpkgs/nixos/modules/profiles | |
| parent | 4999a38db7c5de0ea9f514a12ecd4133cce647f3 (diff) | |
| parent | 1412af4b2cfae71d447164097d960d426e9752c0 (diff) | |
| download | nixlib-1b9a13c4689af7e088eb7af5589f8c811282846a.tar nixlib-1b9a13c4689af7e088eb7af5589f8c811282846a.tar.gz nixlib-1b9a13c4689af7e088eb7af5589f8c811282846a.tar.bz2 nixlib-1b9a13c4689af7e088eb7af5589f8c811282846a.tar.lz nixlib-1b9a13c4689af7e088eb7af5589f8c811282846a.tar.xz nixlib-1b9a13c4689af7e088eb7af5589f8c811282846a.tar.zst nixlib-1b9a13c4689af7e088eb7af5589f8c811282846a.zip | |
Merge remote-tracking branch 'channels/nixos-unstable'
Diffstat (limited to 'nixpkgs/nixos/modules/profiles')
| -rw-r--r-- | nixpkgs/nixos/modules/profiles/hardened.nix | 6 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/profiles/installation-device.nix | 27 |
2 files changed, 26 insertions, 7 deletions
diff --git a/nixpkgs/nixos/modules/profiles/hardened.nix b/nixpkgs/nixos/modules/profiles/hardened.nix index 9e9ddd4f3788..3ff9a2b4fde0 100644 --- a/nixpkgs/nixos/modules/profiles/hardened.nix +++ b/nixpkgs/nixos/modules/profiles/hardened.nix @@ -44,6 +44,9 @@ with lib; # Disable legacy virtual syscalls "vsyscall=none" + + # Enable page allocator randomization + "page_alloc.shuffle=1" ]; boot.blacklistedKernelModules = [ @@ -121,4 +124,7 @@ with lib; # Ignore outgoing ICMP redirects (this is ipv4 only) boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; + + # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability + boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false; } diff --git a/nixpkgs/nixos/modules/profiles/installation-device.nix b/nixpkgs/nixos/modules/profiles/installation-device.nix index 580ea4a58e5b..1a6e06995603 100644 --- a/nixpkgs/nixos/modules/profiles/installation-device.nix +++ b/nixpkgs/nixos/modules/profiles/installation-device.nix @@ -32,19 +32,35 @@ with lib; #services.rogue.enable = true; # Disable some other stuff we don't need. - security.sudo.enable = mkDefault false; services.udisks2.enable = mkDefault false; + # Use less privileged nixos user + users.users.nixos = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "video" ]; + # Allow the graphical user to login without password + initialHashedPassword = ""; + }; + + # Allow the user to log in as root without a password. + users.users.root.initialHashedPassword = ""; + + # Allow passwordless sudo from nixos user + security.sudo = { + enable = mkDefault true; + wheelNeedsPassword = mkForce false; + }; + # Automatically log in at the virtual consoles. - services.mingetty.autologinUser = "root"; + services.mingetty.autologinUser = "nixos"; # Some more help text. services.mingetty.helpLine = '' - The "root" account has an empty password. ${ + The "nixos" and "root" account have empty passwords. ${ optionalString config.services.xserver.enable - "Type `systemctl start display-manager' to\nstart the graphical user interface."} + "Type `sudo systemctl start display-manager' to\nstart the graphical user interface."} ''; # Allow sshd to be started manually through "systemctl start sshd". @@ -86,8 +102,5 @@ with lib; # because we have the firewall enabled. This makes installs from the # console less cumbersome if the machine has a public IP. networking.firewall.logRefusedConnections = mkDefault false; - - # Allow the user to log in as root without a password. - users.users.root.initialHashedPassword = ""; }; } |