diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2019-01-06 09:36:23 +0100 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2019-01-06 09:36:23 +0100 |
commit | e5381cdeceeb150535998cee5518e6fa678e4dc0 (patch) | |
tree | f0ba4eaa3e0d2c5e2cdfd55e18c1953b1ad9a854 /nixos | |
parent | d84a33d85b621f4621f4e4da1c74b8ad896a349e (diff) | |
parent | 7d864c6bd6391baa516118051ec5fb7e9836280e (diff) | |
download | nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar.gz nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar.bz2 nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar.lz nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar.xz nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.tar.zst nixpkgs-e5381cdeceeb150535998cee5518e6fa678e4dc0.zip |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 9 | ||||
-rw-r--r-- | nixos/modules/programs/xss-lock.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/hardware/lirc.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/hardware/vdr.nix | 14 | ||||
-rw-r--r-- | nixos/tests/xss-lock.nix | 3 |
5 files changed, 27 insertions, 8 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index a588943fe71..9ab2ee87a19 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -29,11 +29,20 @@ with lib; security.apparmor.enable = mkDefault true; boot.kernelParams = [ + # Slab/slub sanity checks, redzoning, and poisoning + "slub_debug=FZP" + + # Disable slab merging to make certain heap overflow attacks harder + "slab_nomerge" + # Overwrite free'd memory "page_poison=1" # Disable legacy virtual syscalls "vsyscall=none" + + # Enable PTI even if CPU claims to be safe from meltdown + "pti=on" ]; boot.blacklistedKernelModules = [ diff --git a/nixos/modules/programs/xss-lock.nix b/nixos/modules/programs/xss-lock.nix index 49d522c604f..c290df01b96 100644 --- a/nixos/modules/programs/xss-lock.nix +++ b/nixos/modules/programs/xss-lock.nix @@ -9,7 +9,8 @@ in options.programs.xss-lock = { enable = mkEnableOption "xss-lock"; lockerCommand = mkOption { - example = "xlock"; + default = "${pkgs.i3lock}/bin/i3lock"; + example = literalExample ''''${pkgs.i3lock-fancy}/bin/i3lock-fancy''; type = types.string; description = "Locker to be used with xsslock"; }; diff --git a/nixos/modules/services/hardware/lirc.nix b/nixos/modules/services/hardware/lirc.nix index 0072406a438..826e512c75d 100644 --- a/nixos/modules/services/hardware/lirc.nix +++ b/nixos/modules/services/hardware/lirc.nix @@ -32,7 +32,6 @@ in { default = []; description = "Extra arguments to lircd."; }; - }; }; @@ -43,14 +42,15 @@ in { # Note: LIRC executables raises a warning, if lirc_options.conf do not exists environment.etc."lirc/lirc_options.conf".text = cfg.options; + passthru.lirc.socket = "/run/lirc/lircd"; + environment.systemPackages = [ pkgs.lirc ]; systemd.sockets.lircd = { description = "LIRC daemon socket"; wantedBy = [ "sockets.target" ]; socketConfig = { - # default search path - ListenStream = "/run/lirc/lircd"; + ListenStream = config.passthru.lirc.socket; SocketUser = "lirc"; SocketMode = "0660"; }; diff --git a/nixos/modules/services/hardware/vdr.nix b/nixos/modules/services/hardware/vdr.nix index 75136a2f796..4822506a899 100644 --- a/nixos/modules/services/hardware/vdr.nix +++ b/nixos/modules/services/hardware/vdr.nix @@ -33,12 +33,14 @@ in { default = []; description = "Additional command line arguments to pass to VDR."; }; + + enableLirc = mkEnableOption "enable LIRC"; }; }; ###### implementation - config = mkIf cfg.enable { + config = mkIf cfg.enable (mkMerge [{ systemd.tmpfiles.rules = [ "d ${cfg.videoDir} 0755 vdr vdr -" "Z ${cfg.videoDir} - vdr vdr -" @@ -67,5 +69,13 @@ in { }; users.groups.vdr = {}; - }; + } + + (mkIf cfg.enableLirc { + services.lirc.enable = true; + users.users.vdr.extraGroups = [ "lirc" ]; + services.vdr.extraArguments = [ + "--lirc=${config.passthru.lirc.socket}" + ]; + })]); } diff --git a/nixos/tests/xss-lock.nix b/nixos/tests/xss-lock.nix index 045667bdcde..b46bb1a8f6e 100644 --- a/nixos/tests/xss-lock.nix +++ b/nixos/tests/xss-lock.nix @@ -9,7 +9,6 @@ with lib; machine = { imports = [ ./common/x11.nix ./common/user-account.nix ]; programs.xss-lock.enable = true; - programs.xss-lock.lockerCommand = "${pkgs.xlockmore}/bin/xlock"; services.xserver.displayManager.auto.user = "alice"; }; @@ -20,6 +19,6 @@ with lib; $machine->fail("pgrep xlock"); $machine->succeed("su -l alice -c 'xset dpms force standby'"); - $machine->waitUntilSucceeds("pgrep xlock"); + $machine->waitUntilSucceeds("pgrep i3lock"); ''; }) |