| Commit message (Collapse) | Author | Age |
|
|
|
|
|
| |
User and system administration help for the Gnome
https://help.gnome.org/users/gnome-help/3.10
|
|
|
|
|
|
| |
Desktop-neutral user information store, search tool and indexer
https://wiki.gnome.org/Projects/Tracker
|
|
|
|
| |
Show that it is possible to set custom permission bits.
|
|
|
|
|
|
| |
Otherwise the Hydra module can't be used when mutableUsers = false;
Signed-off-by: Austin Seipp <aseipp@pobox.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit
too strict. It doesn't allow a special group (e.g. the grsecurity group
users) to access /proc information - this requires
GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive.
This was also not in line with the default automatic grsecurity
configuration - it actually defaults to USERGROUP (although it has a
default GID of 1001 instead of ours), not USER.
This introduces a new option restrictProcWithGroup - enabled by default
- which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off
restrictProc by default and makes sure both cannot be enabled.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
|
|
|
|
|
|
|
| |
Reverting postgres superuser changes until after stable.
This reverts commit 6cc0cc7ff6136963acb32b5107696484b6220562, reversing
changes made to 3c4be425dbe2d5a00f2923210a86ce7e7a4c516f.
|
|
|
|
|
|
| |
Reverting postgres superuser changes until after stable.
This reverts commit c66be6378d8bbcea271b2d2102741fdda87ec8fe.
|
|
|
|
|
|
| |
Reverting postgres superuser changes until after stable.
This reverts commit 7de29bd26f5e514e95d5d261c08f3029337eecb3.
|
|
|
|
|
|
| |
Reverting postgres superuser changes until after stable.
This reverts commit e2066841106a6b89093ab685368742efa4e3c2c1.
|
|
|
|
| |
http://hydra.nixos.org/build/10268978
|
| |
|
|
|
|
|
|
|
| |
This prevents errors like "Another app is currently holding the
xtables lock" if the firewall and NAT services are starting in
parallel. (Longer term, we should probably move to a single service
for managing the iptables rules.)
|
| |
|
| |
|
|
|
|
|
| |
This reverts commit c69577b7d6ea96cd605043440145ea6e094674b5.
See https://github.com/NixOS/nixpkgs/pull/2198 for further details.
|
|\
| |
| |
| | |
Fixes #2105.
|
| | |
|
| |
| |
| |
| | |
This allows applying NAT to an interface, rather than an IP range.
|
| |
| |
| |
| | |
And remove ‘root-shell’.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
Systemd-nspawn doesn't support nesting, so providing nixos-container
inside a container doesn't make sense.
|
| |
| |
| |
| |
| | |
So now "systemctl start container@foo" will only return after the
container has reached multi-user.target.
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
Also fix race condition when multiple containers are created
simultaneously (as NixOps tends to do).
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The command nixos-container can now create containers. For instance,
the following creates and starts a container named ‘database’:
$ nixos-container create database
The configuration of the container is stored in
/var/lib/containers/<name>/etc/nixos/configuration.nix. After editing
the configuration, you can make the changes take effect by doing
$ nixos-container update database
The container can also be destroyed:
$ nixos-container destroy database
Containers are now executed using a template unit,
‘container@.service’, so the unit in this example would be
‘container@database.service’.
|
| | |
|
| |
| |
| |
| |
| | |
That NixOS containers use systemd-nspawn is just an implementation
detail (which we could change in the future).
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For example, the following sets up a container named ‘foo’. The
container will have a single network interface eth0, with IP address
10.231.136.2. The host will have an interface c-foo with IP address
10.231.136.1.
systemd.containers.foo =
{ privateNetwork = true;
hostAddress = "10.231.136.1";
localAddress = "10.231.136.2";
config =
{ services.openssh.enable = true; };
};
With ‘privateNetwork = true’, the container has the CAP_NET_ADMIN
capability, allowing it to do arbitrary network configuration, such as
setting up firewall rules. This is secure because it cannot touch the
interfaces of the host.
The helper program ‘run-in-netns’ is needed at the moment because ‘ip
netns exec’ doesn't quite do the right thing (it remounts /sys without
bind-mounting the original /sys/fs/cgroups).
|
| |
| |
| |
| |
| |
| | |
These are stored on the host in
/nix/var/nix/{profiles,gcroots}/per-container/<container-name> to
ensure that container profiles/roots are not garbage-collected.
|
| |
| |
| |
| | |
Instead, just run "switch-to-configuration" inside the container.
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
This has the unintended side-effect of restarting httpd every time we
run switch-to-configuration, even if httpd hasn't changed (because
we're doing a "stop keys.target" now). So use a "Wants" dependency
instead.
|
| |
| |
| |
| | |
Check /etc/os-release if /etc/NIXOS doesn't exist.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
On the host, you can run
$ socat unix:<path-to-container>/var/lib/login.socket -,echo=0,raw
to get a login prompt. So this allows logging in even if the
container has no SSH access enabled.
You can also do
$ socat unix:<path-to-container>/var/lib/root-shell.socket -
to get a plain root shell. (This socket is only accessible by root,
obviously.) This makes it easy to execute commands in the container,
e.g.
$ echo reboot | socat unix:<path-to-container>/var/lib/root-shell.socket -
|
|\ \
| | |
| | | |
nixos: fix shell on conatiners
|
| | | |
|