diff options
Diffstat (limited to 'nixpkgs/nixos/modules/profiles')
-rw-r--r-- | nixpkgs/nixos/modules/profiles/all-hardware.nix | 57 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/profiles/base.nix | 56 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/profiles/clone-config.nix | 109 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/profiles/demo.nix | 19 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/profiles/docker-container.nix | 54 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/profiles/graphical.nix | 22 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/profiles/hardened.nix | 122 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/profiles/headless.nix | 25 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/profiles/installation-device.nix | 106 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/profiles/minimal.nix | 17 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/profiles/qemu-guest.nix | 19 |
11 files changed, 606 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/profiles/all-hardware.nix b/nixpkgs/nixos/modules/profiles/all-hardware.nix new file mode 100644 index 000000000000..19f821ae17f3 --- /dev/null +++ b/nixpkgs/nixos/modules/profiles/all-hardware.nix @@ -0,0 +1,57 @@ +# This module enables all hardware supported by NixOS: i.e., all +# firmware is included, and all devices from which one may boot are +# enabled in the initrd. Its primary use is in the NixOS installation +# CDs. + +{ ... }: + +{ + + # The initrd has to contain any module that might be necessary for + # supporting the most important parts of HW like drives. + boot.initrd.availableKernelModules = + [ # SATA/PATA support. + "ahci" + + "ata_piix" + + "sata_inic162x" "sata_nv" "sata_promise" "sata_qstor" + "sata_sil" "sata_sil24" "sata_sis" "sata_svw" "sata_sx4" + "sata_uli" "sata_via" "sata_vsc" + + "pata_ali" "pata_amd" "pata_artop" "pata_atiixp" "pata_efar" + "pata_hpt366" "pata_hpt37x" "pata_hpt3x2n" "pata_hpt3x3" + "pata_it8213" "pata_it821x" "pata_jmicron" "pata_marvell" + "pata_mpiix" "pata_netcell" "pata_ns87410" "pata_oldpiix" + "pata_pcmcia" "pata_pdc2027x" "pata_qdi" "pata_rz1000" + "pata_serverworks" "pata_sil680" "pata_sis" + "pata_sl82c105" "pata_triflex" "pata_via" + "pata_winbond" + + # SCSI support (incomplete). + "3w-9xxx" "3w-xxxx" "aic79xx" "aic7xxx" "arcmsr" + + # USB support, especially for booting from USB CD-ROM + # drives. + "uas" + + # Firewire support. Not tested. + "ohci1394" "sbp2" + + # Virtio (QEMU, KVM etc.) support. + "virtio_net" "virtio_pci" "virtio_blk" "virtio_scsi" "virtio_balloon" "virtio_console" + + # VMware support. + "mptspi" "vmw_balloon" "vmwgfx" "vmw_vmci" "vmw_vsock_vmci_transport" "vmxnet3" "vsock" + + # Hyper-V support. + "hv_storvsc" + ]; + + # Include lots of firmware. + hardware.enableRedistributableFirmware = true; + + imports = + [ ../hardware/network/zydas-zd1211.nix ]; + +} diff --git a/nixpkgs/nixos/modules/profiles/base.nix b/nixpkgs/nixos/modules/profiles/base.nix new file mode 100644 index 000000000000..2a2fe119d30c --- /dev/null +++ b/nixpkgs/nixos/modules/profiles/base.nix @@ -0,0 +1,56 @@ +# This module defines the software packages included in the "minimal" +# installation CD. It might be useful elsewhere. + +{ lib, pkgs, ... }: + +{ + # Include some utilities that are useful for installing or repairing + # the system. + environment.systemPackages = [ + pkgs.w3m-nographics # needed for the manual anyway + pkgs.testdisk # useful for repairing boot problems + pkgs.ms-sys # for writing Microsoft boot sectors / MBRs + pkgs.efibootmgr + pkgs.efivar + pkgs.parted + pkgs.gptfdisk + pkgs.ddrescue + pkgs.ccrypt + pkgs.cryptsetup # needed for dm-crypt volumes + pkgs.mkpasswd # for generating password files + + # Some text editors. + pkgs.vim + + # Some networking tools. + pkgs.fuse + pkgs.fuse3 + pkgs.sshfs-fuse + pkgs.socat + pkgs.screen + + # Hardware-related tools. + pkgs.sdparm + pkgs.hdparm + pkgs.smartmontools # for diagnosing hard disks + pkgs.pciutils + pkgs.usbutils + + # Tools to create / manipulate filesystems. + pkgs.ntfsprogs # for resizing NTFS partitions + pkgs.dosfstools + pkgs.xfsprogs.bin + pkgs.jfsutils + pkgs.f2fs-tools + + # Some compression/archiver tools. + pkgs.unzip + pkgs.zip + ]; + + # Include support for various filesystems. + boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "zfs" "ntfs" "cifs" ]; + + # Configure host id for ZFS to work + networking.hostId = lib.mkDefault "8425e349"; +} diff --git a/nixpkgs/nixos/modules/profiles/clone-config.nix b/nixpkgs/nixos/modules/profiles/clone-config.nix new file mode 100644 index 000000000000..3f669ba7d2e1 --- /dev/null +++ b/nixpkgs/nixos/modules/profiles/clone-config.nix @@ -0,0 +1,109 @@ +{ config, lib, pkgs, modules, ... }: + +with lib; + +let + + # Location of the repository on the harddrive + nixosPath = toString ../..; + + # Check if the path is from the NixOS repository + isNixOSFile = path: + let s = toString path; in + removePrefix nixosPath s != s; + + # Copy modules given as extra configuration files. Unfortunately, we + # cannot serialized attribute set given in the list of modules (that's why + # you should use files). + moduleFiles = + # FIXME: use typeOf (Nix 1.6.1). + filter (x: !isAttrs x && !lib.isFunction x) modules; + + # Partition module files because between NixOS and non-NixOS files. NixOS + # files may change if the repository is updated. + partitionedModuleFiles = + let p = partition isNixOSFile moduleFiles; in + { nixos = p.right; others = p.wrong; }; + + # Path transformed to be valid on the installation device. Thus the + # device configuration could be rebuild. + relocatedModuleFiles = + let + relocateNixOS = path: + "<nixpkgs/nixos" + removePrefix nixosPath (toString path) + ">"; + in + { nixos = map relocateNixOS partitionedModuleFiles.nixos; + others = []; # TODO: copy the modules to the install-device repository. + }; + + # A dummy /etc/nixos/configuration.nix in the booted CD that + # rebuilds the CD's configuration (and allows the configuration to + # be modified, of course, providing a true live CD). Problem is + # that we don't really know how the CD was built - the Nix + # expression language doesn't allow us to query the expression being + # evaluated. So we'll just hope for the best. + configClone = pkgs.writeText "configuration.nix" + '' + { config, pkgs, ... }: + + { + imports = [ ${toString config.installer.cloneConfigIncludes} ]; + + ${config.installer.cloneConfigExtra} + } + ''; + +in + +{ + + options = { + + installer.cloneConfig = mkOption { + default = true; + description = '' + Try to clone the installation-device configuration by re-using it's + profile from the list of imported modules. + ''; + }; + + installer.cloneConfigIncludes = mkOption { + default = []; + example = [ "./nixos/modules/hardware/network/rt73.nix" ]; + description = '' + List of modules used to re-build this installation device profile. + ''; + }; + + installer.cloneConfigExtra = mkOption { + default = ""; + description = '' + Extra text to include in the cloned configuration.nix included in this + installer. + ''; + }; + }; + + config = { + + installer.cloneConfigIncludes = + relocatedModuleFiles.nixos ++ relocatedModuleFiles.others; + + boot.postBootCommands = + '' + # Provide a mount point for nixos-install. + mkdir -p /mnt + + ${optionalString config.installer.cloneConfig '' + # Provide a configuration for the CD/DVD itself, to allow users + # to run nixos-rebuild to change the configuration of the + # running system on the CD/DVD. + if ! [ -e /etc/nixos/configuration.nix ]; then + cp ${configClone} /etc/nixos/configuration.nix + fi + ''} + ''; + + }; + +} diff --git a/nixpkgs/nixos/modules/profiles/demo.nix b/nixpkgs/nixos/modules/profiles/demo.nix new file mode 100644 index 000000000000..18f190071bad --- /dev/null +++ b/nixpkgs/nixos/modules/profiles/demo.nix @@ -0,0 +1,19 @@ +{ ... }: + +{ + imports = [ ./graphical.nix ]; + + users.users.demo = + { isNormalUser = true; + description = "Demo user account"; + extraGroups = [ "wheel" ]; + password = "demo"; + uid = 1000; + }; + + services.xserver.displayManager.sddm.autoLogin = { + enable = true; + relogin = true; + user = "demo"; + }; +} diff --git a/nixpkgs/nixos/modules/profiles/docker-container.nix b/nixpkgs/nixos/modules/profiles/docker-container.nix new file mode 100644 index 000000000000..5d6b11498b52 --- /dev/null +++ b/nixpkgs/nixos/modules/profiles/docker-container.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l; + +in { + # Docker image config. + imports = [ + ../installer/cd-dvd/channel.nix + ./minimal.nix + ./clone-config.nix + ]; + + # Create the tarball + system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix { + contents = [ + { + source = "${config.system.build.toplevel}/."; + target = "./"; + } + ]; + extraArgs = "--owner=0"; + + # Add init script to image + storeContents = pkgs2storeContents [ + config.system.build.toplevel + pkgs.stdenv + ]; + + # Some container managers like lxc need these + extraCommands = "mkdir -p proc sys dev"; + }; + + boot.isContainer = true; + boot.postBootCommands = + '' + # After booting, register the contents of the Nix store in the Nix + # database. + if [ -f /nix-path-registration ]; then + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration && + rm /nix-path-registration + fi + + # nixos-rebuild also requires a "system" profile + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ''; + + # Install new init script + system.activationScripts.installInitScript = '' + ln -fs $systemConfig/init /init + ''; +} diff --git a/nixpkgs/nixos/modules/profiles/graphical.nix b/nixpkgs/nixos/modules/profiles/graphical.nix new file mode 100644 index 000000000000..649f5564ac61 --- /dev/null +++ b/nixpkgs/nixos/modules/profiles/graphical.nix @@ -0,0 +1,22 @@ +# This module defines a NixOS configuration with the Plasma 5 desktop. +# It's used by the graphical installation CD. + +{ pkgs, ... }: + +{ + services.xserver = { + enable = true; + displayManager.sddm.enable = true; + desktopManager.plasma5 = { + enable = true; + enableQt4Support = false; + }; + libinput.enable = true; # for touchpad support on many laptops + }; + + # Enable sound in virtualbox appliances. + hardware.pulseaudio.enable = true; + hardware.pulseaudio.systemWide = true; # Needed since we run plasma as root. + + environment.systemPackages = [ pkgs.glxinfo pkgs.firefox ]; +} diff --git a/nixpkgs/nixos/modules/profiles/hardened.nix b/nixpkgs/nixos/modules/profiles/hardened.nix new file mode 100644 index 000000000000..626d8b1d2bde --- /dev/null +++ b/nixpkgs/nixos/modules/profiles/hardened.nix @@ -0,0 +1,122 @@ +# A profile with most (vanilla) hardening options enabled by default, +# potentially at the cost of features and performance. + +{ lib, pkgs, ... }: + +with lib; + +{ + meta = { + maintainers = [ maintainers.joachifm ]; + }; + + boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; + + nix.allowedUsers = mkDefault [ "@users" ]; + + security.hideProcessInformation = mkDefault true; + + security.lockKernelModules = mkDefault true; + + security.allowUserNamespaces = mkDefault false; + + security.protectKernelImage = mkDefault true; + + security.allowSimultaneousMultithreading = mkDefault false; + + security.forcePageTableIsolation = mkDefault true; + + security.virtualisation.flushL1DataCache = mkDefault "always"; + + security.apparmor.enable = mkDefault true; + + boot.kernelParams = [ + # Slab/slub sanity checks, redzoning, and poisoning + "slub_debug=FZP" + + # Disable slab merging to make certain heap overflow attacks harder + "slab_nomerge" + + # Overwrite free'd memory + "page_poison=1" + + # Disable legacy virtual syscalls + "vsyscall=none" + + # Enable page allocator randomization + "page_alloc.shuffle=1" + ]; + + boot.blacklistedKernelModules = [ + # Obscure network protocols + "ax25" + "netrom" + "rose" + ]; + + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; + + # Restrict access to kernel ring buffer (information leaks) + boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true; + + # Hide kptrs even for processes with CAP_SYSLOG + boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; + + # Unprivileged access to bpf() has been used for privilege escalation in + # the past + boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true; + + # Disable bpf() JIT (to eliminate spray attacks) + boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; + + # ... or at least apply some hardening to it + boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true; + + # Raise ASLR entropy for 64bit & 32bit, respectively. + # + # Note: mmap_rnd_compat_bits may not exist on 64bit. + boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32; + boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16; + + # Allowing users to mmap() memory starting at virtual address 0 can turn a + # NULL dereference bug in the kernel into code execution with elevated + # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory + # space. This breaks applications that require mapping the 0 page, such as + # dosemu or running 16bit applications under wine. It also breaks older + # versions of qemu. + # + # The value is taken from the KSPP recommendations (Debian uses 4096). + boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536; + + # Disable ftrace debugging + boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; + + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; + + # Ignore broadcast ICMP (mitigate SMURF) + boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; + + # Ignore incoming ICMP redirects (note: default is needed to ensure that the + # setting is applied to interfaces added after the sysctls are set) + boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false; + + # Ignore outgoing ICMP redirects (this is ipv4 only) + boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; + + # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability + boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false; +} diff --git a/nixpkgs/nixos/modules/profiles/headless.nix b/nixpkgs/nixos/modules/profiles/headless.nix new file mode 100644 index 000000000000..46a9b6a7d8d5 --- /dev/null +++ b/nixpkgs/nixos/modules/profiles/headless.nix @@ -0,0 +1,25 @@ +# Common configuration for headless machines (e.g., Amazon EC2 +# instances). + +{ lib, ... }: + +with lib; + +{ + boot.vesa = false; + + # Don't start a tty on the serial consoles. + systemd.services."serial-getty@ttyS0".enable = false; + systemd.services."serial-getty@hvc0".enable = false; + systemd.services."getty@tty1".enable = false; + systemd.services."autovt@".enable = false; + + # Since we can't manually respond to a panic, just reboot. + boot.kernelParams = [ "panic=1" "boot.panic_on_fail" ]; + + # Don't allow emergency mode, because we don't have a console. + systemd.enableEmergencyMode = false; + + # Being headless, we don't need a GRUB splash image. + boot.loader.grub.splashImage = null; +} diff --git a/nixpkgs/nixos/modules/profiles/installation-device.nix b/nixpkgs/nixos/modules/profiles/installation-device.nix new file mode 100644 index 000000000000..1a6e06995603 --- /dev/null +++ b/nixpkgs/nixos/modules/profiles/installation-device.nix @@ -0,0 +1,106 @@ +# Provide a basic configuration for installation devices like CDs. +{ config, pkgs, lib, ... }: + +with lib; + +{ + imports = + [ # Enable devices which are usually scanned, because we don't know the + # target system. + ../installer/scan/detected.nix + ../installer/scan/not-detected.nix + + # Allow "nixos-rebuild" to work properly by providing + # /etc/nixos/configuration.nix. + ./clone-config.nix + + # Include a copy of Nixpkgs so that nixos-install works out of + # the box. + ../installer/cd-dvd/channel.nix + ]; + + config = { + + # Enable in installer, even if the minimal profile disables it. + documentation.enable = mkForce true; + + # Show the manual. + documentation.nixos.enable = mkForce true; + services.nixosManual.showManual = true; + + # Let the user play Rogue on TTY 8 during the installation. + #services.rogue.enable = true; + + # Disable some other stuff we don't need. + services.udisks2.enable = mkDefault false; + + # Use less privileged nixos user + users.users.nixos = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "video" ]; + # Allow the graphical user to login without password + initialHashedPassword = ""; + }; + + # Allow the user to log in as root without a password. + users.users.root.initialHashedPassword = ""; + + # Allow passwordless sudo from nixos user + security.sudo = { + enable = mkDefault true; + wheelNeedsPassword = mkForce false; + }; + + # Automatically log in at the virtual consoles. + services.mingetty.autologinUser = "nixos"; + + # Some more help text. + services.mingetty.helpLine = + '' + + The "nixos" and "root" account have empty passwords. ${ + optionalString config.services.xserver.enable + "Type `sudo systemctl start display-manager' to\nstart the graphical user interface."} + ''; + + # Allow sshd to be started manually through "systemctl start sshd". + services.openssh = { + enable = true; + # Allow password login to the installation, if the user sets a password via "passwd" + # It is safe as root doesn't have a password by default and SSH is disabled by default + permitRootLogin = "yes"; + }; + systemd.services.sshd.wantedBy = mkOverride 50 []; + + # Enable wpa_supplicant, but don't start it by default. + networking.wireless.enable = mkDefault true; + systemd.services.wpa_supplicant.wantedBy = mkOverride 50 []; + + # Tell the Nix evaluator to garbage collect more aggressively. + # This is desirable in memory-constrained environments that don't + # (yet) have swap set up. + environment.variables.GC_INITIAL_HEAP_SIZE = "1M"; + + # Make the installer more likely to succeed in low memory + # environments. The kernel's overcommit heustistics bite us + # fairly often, preventing processes such as nix-worker or + # download-using-manifests.pl from forking even if there is + # plenty of free memory. + boot.kernel.sysctl."vm.overcommit_memory" = "1"; + + # To speed up installation a little bit, include the complete + # stdenv in the Nix store on the CD. + system.extraDependencies = with pkgs; + [ + stdenv + stdenvNoCC # for runCommand + busybox + jq # for closureInfo + ]; + + # Show all debug messages from the kernel but don't log refused packets + # because we have the firewall enabled. This makes installs from the + # console less cumbersome if the machine has a public IP. + networking.firewall.logRefusedConnections = mkDefault false; + }; +} diff --git a/nixpkgs/nixos/modules/profiles/minimal.nix b/nixpkgs/nixos/modules/profiles/minimal.nix new file mode 100644 index 000000000000..f044e6f39ea5 --- /dev/null +++ b/nixpkgs/nixos/modules/profiles/minimal.nix @@ -0,0 +1,17 @@ +# This module defines a small NixOS configuration. It does not +# contain any graphical stuff. + +{ config, lib, ... }: + +with lib; + +{ + environment.noXlibs = mkDefault true; + + # This isn't perfect, but let's expect the user specifies an UTF-8 defaultLocale + i18n.supportedLocales = [ (config.i18n.defaultLocale + "/UTF-8") ]; + + documentation.enable = mkDefault false; + + documentation.nixos.enable = mkDefault false; +} diff --git a/nixpkgs/nixos/modules/profiles/qemu-guest.nix b/nixpkgs/nixos/modules/profiles/qemu-guest.nix new file mode 100644 index 000000000000..315d04093b13 --- /dev/null +++ b/nixpkgs/nixos/modules/profiles/qemu-guest.nix @@ -0,0 +1,19 @@ +# Common configuration for virtual machines running under QEMU (using +# virtio). + +{ ... }: + +{ + boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ]; + boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ]; + + boot.initrd.postDeviceCommands = + '' + # Set the system time from the hardware clock to work around a + # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised + # to the *boot time* of the host). + hwclock -s + ''; + + security.rngd.enable = false; +} |