diff options
Diffstat (limited to 'nixos/modules/profiles')
-rw-r--r-- | nixos/modules/profiles/all-hardware.nix | 69 | ||||
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 17 | ||||
-rw-r--r-- | nixos/modules/profiles/installation-device.nix | 27 | ||||
-rw-r--r-- | nixos/modules/profiles/qemu-guest.nix | 4 |
4 files changed, 98 insertions, 19 deletions
diff --git a/nixos/modules/profiles/all-hardware.nix b/nixos/modules/profiles/all-hardware.nix index 19f821ae17f..797fcddb8c9 100644 --- a/nixos/modules/profiles/all-hardware.nix +++ b/nixos/modules/profiles/all-hardware.nix @@ -3,8 +3,10 @@ # enabled in the initrd. Its primary use is in the NixOS installation # CDs. -{ ... }: - +{ pkgs, lib,... }: +let + platform = pkgs.stdenv.hostPlatform; +in { # The initrd has to contain any module that might be necessary for @@ -35,6 +37,9 @@ # drives. "uas" + # SD cards. + "sdhci_pci" + # Firewire support. Not tested. "ohci1394" "sbp2" @@ -42,10 +47,68 @@ "virtio_net" "virtio_pci" "virtio_blk" "virtio_scsi" "virtio_balloon" "virtio_console" # VMware support. - "mptspi" "vmw_balloon" "vmwgfx" "vmw_vmci" "vmw_vsock_vmci_transport" "vmxnet3" "vsock" + "mptspi" "vmxnet3" "vsock" + ] ++ lib.optional platform.isx86 "vmw_balloon" + ++ lib.optionals (!platform.isAarch64 && !platform.isAarch32) [ # not sure where else they're missing + "vmw_vmci" "vmwgfx" "vmw_vsock_vmci_transport" # Hyper-V support. "hv_storvsc" + ] ++ lib.optionals (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ + # Most of the following falls into two categories: + # - early KMS / early display + # - early storage (e.g. USB) support + + # Allows using framebuffer configured by the initial boot firmware + "simplefb" + + # Allwinner support + + # Required for early KMS + "sun4i-drm" + "sun8i-mixer" # Audio, but required for kms + + # PWM for the backlight + "pwm-sun4i" + + # Broadcom + + "vc4" + ] ++ lib.optionals pkgs.stdenv.isAarch64 [ + # Most of the following falls into two categories: + # - early KMS / early display + # - early storage (e.g. USB) support + + # Broadcom + + "pcie-brcmstb" + + # Rockchip + "dw-hdmi" + "dw-mipi-dsi" + "rockchipdrm" + "rockchip-rga" + "phy-rockchip-pcie" + "pcie-rockchip-host" + + # Misc. uncategorized hardware + + # Used for some platform's integrated displays + "panel-simple" + "pwm-bl" + + # Power supply drivers, some platforms need them for USB + "axp20x-ac-power" + "axp20x-battery" + "pinctrl-axp209" + "mp8859" + + # USB drivers + "xhci-pci-renesas" + + # Misc "weak" dependencies + "analogix-dp" + "analogix-anx6345" # For DP or eDP (e.g. integrated display) ]; # Include lots of firmware. diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index ef8c0d74f06..3f8f78f012a 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -1,7 +1,12 @@ # A profile with most (vanilla) hardening options enabled by default, -# potentially at the cost of features and performance. +# potentially at the cost of stability, features and performance. +# +# This profile enables options that are known to affect system +# stability. If you experience any stability issues when using the +# profile, try disabling it. If you report an issue and use this +# profile, always mention that you do. -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -17,8 +22,6 @@ with lib; environment.memoryAllocator.provider = mkDefault "scudo"; environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; - security.hideProcessInformation = mkDefault true; - security.lockKernelModules = mkDefault true; security.protectKernelImage = mkDefault true; @@ -27,9 +30,13 @@ with lib; security.forcePageTableIsolation = mkDefault true; + # This is required by podman to run containers in rootless mode. + security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable; + security.virtualisation.flushL1DataCache = mkDefault "always"; security.apparmor.enable = mkDefault true; + security.apparmor.killUnconfinedConfinables = mkDefault true; boot.kernelParams = [ # Slab/slub sanity checks, redzoning, and poisoning @@ -64,6 +71,8 @@ with lib; "jfs" "minix" "nilfs2" + "ntfs" + "omfs" "qnx4" "qnx6" "sysv" diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index d05c0c50e82..8e3aa20daa6 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -45,28 +45,29 @@ with lib; }; # Automatically log in at the virtual consoles. - services.mingetty.autologinUser = "nixos"; + services.getty.autologinUser = "nixos"; # Some more help text. - services.mingetty.helpLine = '' + services.getty.helpLine = '' The "nixos" and "root" accounts have empty passwords. - Type `sudo systemctl start sshd` to start the SSH daemon. - You then must set a password for either "root" or "nixos" - with `passwd` to be able to login. + An ssh daemon is running. You then must set a password + for either "root" or "nixos" with `passwd` or add an ssh key + to /home/nixos/.ssh/authorized_keys be able to login. '' + optionalString config.services.xserver.enable '' Type `sudo systemctl start display-manager' to start the graphical user interface. ''; - # Allow sshd to be started manually through "systemctl start sshd". + # We run sshd by default. Login via root is only possible after adding a + # password via "passwd" or by adding a ssh key to /home/nixos/.ssh/authorized_keys. + # The latter one is particular useful if keys are manually added to + # installation device for head-less systems i.e. arm boards by manually + # mounting the storage in a different system. services.openssh = { enable = true; - # Allow password login to the installation, if the user sets a password via "passwd" - # It is safe as root doesn't have a password by default and SSH is disabled by default permitRootLogin = "yes"; }; - systemd.services.sshd.wantedBy = mkOverride 50 []; # Enable wpa_supplicant, but don't start it by default. networking.wireless.enable = mkDefault true; @@ -98,5 +99,13 @@ with lib; # because we have the firewall enabled. This makes installs from the # console less cumbersome if the machine has a public IP. networking.firewall.logRefusedConnections = mkDefault false; + + # Prevent installation media from evacuating persistent storage, as their + # var directory is not persistent and it would thus result in deletion of + # those entries. + environment.etc."systemd/pstore.conf".text = '' + [PStore] + Unlink=no + ''; }; } diff --git a/nixos/modules/profiles/qemu-guest.nix b/nixos/modules/profiles/qemu-guest.nix index 0ea70107f71..d4335edfcf2 100644 --- a/nixos/modules/profiles/qemu-guest.nix +++ b/nixos/modules/profiles/qemu-guest.nix @@ -1,7 +1,7 @@ # Common configuration for virtual machines running under QEMU (using # virtio). -{ lib, ... }: +{ ... }: { boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ]; @@ -14,6 +14,4 @@ # to the *boot time* of the host). hwclock -s ''; - - security.rngd.enable = lib.mkDefault false; } |