Commit graph

187 commits

Author SHA1 Message Date
Peter Simons
137ffc9929 Switch default timezone in NixOS from "CET" to "UTC".
Suggested in https://github.com/NixOS/nixpkgs/pull/5332.
2014-12-15 16:31:18 +01:00
Thomas Tuegel
32e41c2280 nixos: fix config.fonts.fontconfig.ultimate.allowBitmaps
The option was incorrectly negated, so that 'allowBitmaps = true'
actually disabled bitmap fonts.
2014-12-15 09:16:40 -06:00
Eelco Dolstra
8bb494c170 Get rid of a warning about dbus in the activation script 2014-12-12 10:45:37 +01:00
Thomas Tuegel
9707ffd973 nixos: let fontconfig default fonts be lists of fonts 2014-12-08 10:55:24 -06:00
Thomas Tuegel
57ba2093bf Replace Bitstream Vera fonts by DejaVu in defaults
The default configuration installed the Bitstream Vera fonts, but DejaVu
is a superior replacement, and the default Fontconfig settings need it
now for the generic faces monospace, sans-serif, and serif.
2014-12-08 10:55:24 -06:00
Thomas Tuegel
c00c563c66 Add NixOS module for fontconfig-ultimate
Details:
* The option `fonts.fontconfig.ultimate.enable` can be used to disable
  the fontconfig-ultimate configuration.
* The user-configurable options provided by fontconfig-ultimate are
  exposed in the NixOS module: `allowBitmaps` (default: true),
  `allowType1` (default: false), `useEmbeddedBitmaps` (default: false),
  `forceAutohint` (default: false), `renderMonoTTFAsBitmap` (default:
  false).
* Upstream provides three substitution modes for substituting TrueType
  fonts for Type 1 fonts (which do not render well). The default,
  "free", substitutes free fonts for Type 1 fonts. The option "ms"
  substitutions Microsoft fonts for Type 1 fonts. The option "combi"
  uses a combination of Microsoft and free fonts. Substitutions can also
  be disabled.
* All 21 of the Infinality rendering modes supported by fontconfig-ultimate
  or by the original Infinality distribution can be selected through
  `fonts.fontconfig.ultimate.rendering`. The default is the medium style
  provided by fontconfig-ultimate. Any of the modes may be customized,
  or Infinality rendering can be disabled entirely.
2014-12-08 10:55:24 -06:00
Thomas Tuegel
1df1305a8a Rewrite Fontconfig NixOS module
Details:
* The option `fonts.enableFontConfig` has (finally) been renamed
  `fonts.fontconfig.enable`.
* Configurations are loaded in this order: first the Fontconfig-upstream
  configuration is loaded, then the NixOS-specific font directories are
  set, the system-wide default configuration is loaded, and finally the
  user configuration is loaded (if enabled).
* The NixOS options `fonts.fontconfig.defaultFonts.monospace`,
  `fonts.fontconfig.defaultFonts.sansSerif` and
  `fonts.fontconfig.defaultFonts.serif` are added to allow setting the
  default system-wide font used for these generic faces. The defaults
  are the appropriate faces from the DejaVu collection because of their
  comprehensive Unicode coverage, clean rendering, and excellent
  legibility.
* The NixOS option `fonts.fontconfig.antialias` can be used to disable
  antialiasing (it is enabled by default).
* The options `fonts.fontconfig.subpixel.rgba` and
  `fonts.fontconfig.subpixel.lcdfilter` control the system-wide default
  settings for subpixel order and LCD filtering algorithm,
  respectively.
* `fonts.fontconfig.hinting.enable` can be used to disable TrueType font
  hinting (it is enabled by default).
  `fonts.fontconfig.hinting.autohint` controls the FreeType autohinter.
  `fonts.fontconfig.hinting.style` controls the hint style; it is "full"
  by default.
* User configurations can be disabled system-wide by setting
  `fonts.fontconfig.includeUserConf = false`. They are enabled by
  default so users can set Fontconfig options in the desktop environment
  of their choice.
2014-12-08 10:55:23 -06:00
Antoine R. Dumont
da47d6bd59 Improve readability - from https://github.com/NixOS/nixpkgs/pull/5058#discussion_r21043552 2014-11-30 15:19:30 +01:00
Antoine R. Dumont
3c7e779602 Introduce a dedicated networking.proxy option
Following the discussion NixOS#5021:
- obsolete the nix.proxy option
- add the networking.proxy option
- open a default no_proxy environment variable
- add a rsync option
- Manual tests ok.
- Automatic tests ok.

Amended by lethalman to simplify the option descriptions.
2014-11-30 15:19:25 +01:00
William A. Kennington III
1860ee27b0 nixos/networking: Fixes 2014-11-26 16:29:24 -08:00
William A. Kennington III
c234e7b115 nixos/networking: Rebuild resolvconf during activation
This is needed when /etc/resolv.conf is being overriden by networkd
and other configurations. If the file is destroyed by an environment
activation then it must be rebuilt so that applications which interface
with /etc/resolv.conf directly don't break.
2014-11-26 11:22:02 -08:00
William A. Kennington III
8cffa37787 networkd: Support Host Resolvconf 2014-11-26 11:22:02 -08:00
William A. Kennington III
a332c4eac5 systemd: Enable more network services 2014-11-26 11:22:02 -08:00
Luca Bruno
6af0d6974f Merge branch 'master' into staging 2014-11-10 10:03:52 +01:00
Rüdiger Sonderfeld
fa1cec1037 update-users-groups.pl: Use UTF-8 instead of latin1.
Perl seems to write the file in latin1 independent of the actual input
encoding.  This can corrupt the "description" field of /etc/passwd.  By
setting "binmode" to ":utf8" Perl can be forced to write UTF-8.  Ideally
the program would simply read/write the fields by value without any
changes in encoding.  However, assuming/enforcing UTF-8 is a lot better
than using an obsolete coding like latin1.
2014-11-08 19:25:17 +01:00
Vladimír Čunát
52404a868d Merge recent master into staging
Nixpkgs Hydra: ?compare=1157272

TODO: port e22889064f

Conflicts:
	nixos/tests/gnome3_10.nix (auto-solved)
	pkgs/applications/video/aegisub/default.nix
	pkgs/development/libraries/boost/1.55.nix
2014-11-05 15:00:44 +01:00
Vladimír Čunát
c0e2aceef4 fontconfig: patch and document 2014-11-05 12:12:30 +01:00
Eelco Dolstra
f496c3cbe4 Obsolete security.initialPassword
You can now set users.extraUsers.root.initialHashedPassword instead.
2014-11-03 12:36:56 +01:00
Eelco Dolstra
f8f787b800 Handle initialPassword and initialHashedPassword for !mutableUsers
In this case, they're equivalent to setting ‘password’ and
‘hashedPassword’ (since there is no distinction between an initial and
non-initial user account state).
2014-11-03 12:32:32 +01:00
Eelco Dolstra
3696536115 Handle removing a password if mutableUsers = false 2014-11-03 12:32:27 +01:00
Eelco Dolstra
1b53a3fcb7 Add initialPassword and initialHashedPassword options
These are like password and hashedPassword, except that they only
apply when the user is initially created.
2014-11-03 12:32:19 +01:00
Peter Simons
a9c53037fa Merge remote-tracking branch 'origin/master' into staging. 2014-11-02 16:15:53 +01:00
Eelco Dolstra
a9f5e77e2f update-users-groups.pl: Generate hashed passwords internally
I.e. don't call "passwd" to update /etc/shadow from the "password"
option. This has the side-effect of not updating the password if
mutableUsers = true (since the code path for "hashedPassword" has a
check for mutableUsers).

Fixes #4747.
2014-10-31 17:42:09 +01:00
Eelco Dolstra
f4be4f5e54 Merge remote-tracking branch 'origin/master' into staging 2014-10-24 12:24:13 +02:00
Luca Bruno
0927405a37 fontconfig: update 2.10.2 -> 2.11.1. Close #4410, #2050 2014-10-23 10:40:26 +02:00
Longrin Wischnewski
a2c65d447f passwordFile: update description 2014-10-23 04:52:50 +02:00
Eelco Dolstra
09dc132e04 Merge remote-tracking branch 'origin/master' into staging
Conflicts:
	pkgs/development/libraries/poppler/default.nix
2014-10-16 15:16:50 +02:00
Domen Kožar
4941b96f0c eval fix 2014-10-07 21:46:15 +02:00
Eelco Dolstra
a85dcf4a00 Merge remote-tracking branch 'origin/master' into staging
Conflicts:
	pkgs/development/libraries/libav/default.nix
	pkgs/shells/bash/bash-4.2-patches.nix
	pkgs/stdenv/generic/default.nix
2014-10-07 00:09:37 +02:00
Vladimír Čunát
e4436ad841 FONTCONFIG_FILE: remove setters to /etc/fonts/fonts.conf
Any reasonably new version of fontconfig does search that path by default,
and setting this globally causes problems, as 2.10 and 2.11 need
incompatible configs.

Tested: slim+xfce desktop, chrootenv-ed steam.
I have no idea why we were setting the global variable;
e.g., neither Fedora nor Ubuntu does that.
2014-10-05 17:05:27 +02:00
Nathaniel Baxter
0c8ad65560 pulseaudio: Add support for 32bit alsa apps on 64bit systems. 2014-10-04 14:48:58 +02:00
Rickard Nilsson
a59df1e567 nixos: Add also group.members to group 2014-09-22 19:18:08 +02:00
Eelco Dolstra
91ec6e0d90 Merge remote-tracking branch 'origin/master' into staging 2014-09-18 22:28:35 +02:00
Eelco Dolstra
ec4f38c56f Manual: Remove some option defaults that refer to store paths
Option defaults should not refer to store paths, because they cause
the manual to be rebuilt gratuitously. It's especially bad to refer to
a highly variable path like a computed configuration file.
2014-09-18 16:21:26 +02:00
Vladimír Čunát
d957b4bd78 Merge recent master into staging
Hydra nixpkgs: ?compare=1151601
2014-09-13 21:48:29 +02:00
Eelco Dolstra
624efa4224 Support users-groups.json referring to store paths
Fixes #4016.
2014-09-10 11:50:45 +02:00
Eelco Dolstra
152ae27aac Merge remote-tracking branch 'origin/systemd-216' into staging 2014-09-08 13:53:33 +02:00
Eelco Dolstra
585983bc95 Merge remote-tracking branch 'origin/staging'
Conflicts:
	pkgs/applications/version-management/subversion/default.nix
2014-09-08 11:42:09 +02:00
Nicolas Pierron
becde6132b Replace environment.profileVariables by environment.profileRelativeEnvVars 2014-09-07 19:41:00 +02:00
Vladimír Čunát
06fea81c6e Merge recent master into staging
Hydra: ?compare=1150594
2014-09-06 16:52:45 +02:00
Eelco Dolstra
20be024d1b Fix subuid/subgid generation
I don't think we need to filter users with an unset uid, because
mkSubuidEntry/mkSubgidEntry don't references the uid.
2014-09-05 17:40:09 +02:00
Rickard Nilsson
66ee6e03e7 pulseaudio: Use group audio instead of pulse-access 2014-09-03 13:24:47 +02:00
Rickard Nilsson
56102642fa pulseaudio: Add pulse-access group, controlling access to the system-wide PA daemon 2014-09-03 10:25:36 +02:00
Eelco Dolstra
3d821c068a Merge remote-tracking branch 'origin/master' into systemd-216 2014-09-02 14:43:27 +02:00
Peter Simons
1c0d15b90e Merge branch 'origin/master' into staging.
Conflicts:
	pkgs/development/libraries/ffmpeg/2.x.nix
	pkgs/development/libraries/serf/default.nix
2014-09-02 12:31:03 +02:00
Vladimir Still
5588ad472b vpnc: Fix building of system config. 2014-08-31 21:39:03 +02:00
Sam Griffin
ec8e4d23f1 cleanup per Lethalman's suggestions 2014-08-31 13:01:20 -04:00
Sam Griffin
0667d67c95 Adding vpnc configuration module 2014-08-31 12:44:13 -04:00
Vladimír Čunát
e51f73652d Merge recent master into staging
Hydra: ?compare=1149952

Conflicts:
	nixos/doc/manual/configuration.xml (changed split file)
	nixos/modules/config/users-groups.nix (choosing filterNull instead of inline definition)
	pkgs/development/libraries/readline/readline6.3.nix (auto-solved)
2014-08-30 10:04:02 +02:00
aszlig
e0e65cbf8e
nixos/users-groups: Fix eval on missing uid/gid.
This hopefully fixes a regression introduced by 08b214a.

In bf129a2, it was already fixed for normal uid/gid values and it got
reintroduced by sub-uid/gid-handling again, so I've refactored it a bit
into a filterNull function which takes care of also the filtering
introduced by bf129a2.

I have not tested this extensively, but master is already broken for
systems with `mutableUsers = true` and no uid values set.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-08-29 07:17:19 +02:00
Michael Raskin
844fd2553e Merge pull request #3745 from wkennington/master.dnsmasq
dnsmasq: Update and enable dbus support
2014-08-29 01:43:41 +04:00
Michael Raskin
e8badf3c3b Merge pull request #3275 from taku0/gtk-env
uim, gtk-exe-env, qt-plugin-env: Add input method modules for GTK+ and Qt
2014-08-29 01:35:38 +04:00
Michael Raskin
1fd14fa415 Merge pull request #3100 from tailhook/new-shadow
Upgrade "shadow" to 4.2.1
2014-08-29 00:42:57 +04:00
Paul Colomiets
adbb9ff796 dnsmasq: upgrade to 2.71, fixed dnsmasq module
* The module now has systemd config

* Add resolveLocalQueries option which sets up it as a dns server for
  local host (including reasonable setup of resolvconf)

* Add "dnsmasq" user for running daemon

* Enabled dbus and dnssec support for the package

Conflicts:
	nixos/modules/misc/ids.nix
2014-08-28 11:39:03 -07:00
aszlig
8a56a55bb4
nixos/manual: Use literalExample when feasible.
Should bring most of the examples into a better consistency regarding
syntactic representation in the manual.

Thanks to @devhell for reporting.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-08-27 23:41:15 +02:00
aszlig
9667a4067c
nixos: Use literalExample for systemPackages.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-08-27 22:44:56 +02:00
Eelco Dolstra
d2539605e1 Remove reference to icecat 2014-08-25 14:35:08 +02:00
Eelco Dolstra
d73025a5fe Enable systemd's mymachines NSS module
It makes every local container registered with machined resolvable.
2014-08-24 17:10:19 +02:00
Vladimír Čunát
d4e9fd2a90 Merge recent master into staging
Hydra: ?compare=1148749

Conflicts (easy):
	nixos/modules/virtualisation/containers.nix
2014-08-21 15:09:31 +02:00
Matej Cotman
f4b5cd9f3f use mkDefault on root's shell 2014-08-20 21:17:48 +02:00
Eelco Dolstra
6dc5db3850 Fix setting an empty password 2014-08-18 17:12:56 +02:00
Eelco Dolstra
a323d146b7 Add user attribute isNormalUser
This is shorthand for setting group, createHome, home, useDefaultShell
and isSystemUser.
2014-08-15 02:16:04 +02:00
Eelco Dolstra
1a75958be5 Unify mutableUsers = { true, false }
With mutableUsers = true, we now ensure that all users and groups that
were created declaratively, are updated or removed
appropriately. Thus, adding a user to users.extraUsers and then
removing it now causes the acoount to be removed from
/etc/passwd. Thus user/group management is fully congruent except that
users and groups that were created imperatively (via useradd/groupadd)
are not touched. We distinguish between declarative and imperative
users/groups by tracking the former in
/var/lib/nixos/declarative-{groups,users}.

With mutableUsers = false, you are now no longer required to specify
UIDs/GIDs for all users. The handling of mutableUsers = true/false is
the same code path; the only difference is that the "false" mode
ignores the existing contents of /etc/{passwd,group}.

The attribute ‘createUser’ is gone. It doesn't really make sense to
specify users that shouldn't be created.
2014-08-15 02:15:29 +02:00
Domen Kožar
cc8e4f6814 provide pulseaudioFull and set it as default to hardware.pulseaudio.package 2014-08-12 12:51:25 +02:00
Rickard Nilsson
a01862a4b6 nslcd nixos service: Should be wantedBy multi-user, otherwise not started if activated on running server (only starts on bootup) 2014-08-08 17:40:14 +02:00
Paul Colomiets
08b214a8f2 First implementation of subuid/subgid manipulation module 2014-08-01 21:27:20 +03:00
Paul Colomiets
496d12958e Add automatic plugin activation for vim 2014-07-15 14:59:15 +02:00
taku0
a0c91d66f1 uim, gtk-exe-env, qt-plugin-env: Add input method modules for GTK+ and Qt 2014-07-14 21:33:05 +09:00
Shea Levy
b3cfb9084b Get all lib functions from lib, not pkgs.lib, in modules 2014-07-02 12:28:18 -04:00
Michael Raskin
f2e9ebbd46 Merge pull request #2283 from wizeman/u/sysctl-merge
nixos: Fix sysctl option merging
2014-06-30 09:03:33 +04:00
Bjørn Forsman
4def9a762f nixos: add some missing '.' in option descriptions 2014-06-24 21:25:11 +02:00
Eelco Dolstra
13befa3979 Set session variables in the shell as well 2014-06-13 18:34:56 +02:00
Eelco Dolstra
f5055e2ef6 Rename environment.systemVariables -> environment.sessionVariables
This makes it clearer that they're part of PAM sessions.
2014-06-13 17:57:04 +02:00
Michael Raskin
dceda93bd0 Merge pull request #2543 from wizeman/u/zramswap
nixos: Add zram swap module
2014-06-12 13:01:29 +04:00
Eelco Dolstra
8ae659f16c Revert "Revert "Merge #2692: Use pam_env to properly setup system-wide env""
This reverts commit 491c088731.
2014-06-10 13:07:10 +02:00
Eelco Dolstra
491c088731 Revert "Merge #2692: Use pam_env to properly setup system-wide env"
This reverts commit 18a0cdd864.
2014-06-10 13:03:44 +02:00
Vladimír Čunát
18a0cdd864 Merge #2692: Use pam_env to properly setup system-wide env 2014-06-10 11:42:59 +02:00
Sönke Hahn
089b293019 better error message in case of missing uids 2014-05-28 20:12:53 +08:00
Eelco Dolstra
58226a7b06 Add type for fonts.fonts option 2014-05-22 14:20:23 +02:00
Eelco Dolstra
7fd13ddc66 Set TZDIR for all systemd services
This only matters if a service also overrides the $TZ variable.

Issue #2447.
2014-05-21 18:31:40 +02:00
Charles Strahan
5445132f73 fix -G delimiter in call to useradd 2014-05-17 00:45:16 -04:00
Eelco Dolstra
4fc151b5a3 nixos-install: Ask the user to set a root password
This removes the need to have an initially empty root password.
2014-05-09 00:52:02 +02:00
Ricardo M. Correia
cd1b48bc35 nixos: Add zram swap module
This allows you to use the Linux kernel's built-in compressed memory as
swap space functionality.

It is recommended to enable only for kernel 3.14 (which is when zram came out of
the staging drivers area) or higher.
2014-05-06 20:04:22 +02:00
Rob Vermaas
d056d1d37b Fix users.*.extraGroups for users.mutableUsers = true.
(cherry picked from commit eb222923054fdc895ab73ff5d0260c1e1fc689c7)
2014-05-05 15:35:16 +02:00
Eelco Dolstra
e6b5c0121f Obsolete fonts.extraFonts
You can now just set fonts.fonts, which will be merged with the
default value unless you use mkOverride.
2014-04-29 12:34:57 +02:00
Eelco Dolstra
d6c2dcd98c Remove redundant ~/.fonts element from the font search path 2014-04-29 12:27:03 +02:00
Eelco Dolstra
05468f9b78 Bring back the isSystemUser option 2014-04-29 10:43:38 +02:00
Eelco Dolstra
d4986b5fd3 Don't create world-readable swapfiles 2014-04-24 15:19:10 +02:00
Rickard Nilsson
cfa5b5778c pulseaudio module: Use pid-file for system-wide daemon, add loglevel option 2014-04-21 23:22:11 +02:00
Eelco Dolstra
4e8c2f0ff9 Merge branch 'systemd-update' 2014-04-20 19:31:01 +02:00
Eelco Dolstra
465d6ff572 Set $LOCALE_ARCHIVE in all systemd units
This variable used to be inherited implicitly from the stage-2 script,
but systemd now clears the environment. So we need to set it
explicitly.
2014-04-18 19:04:45 +02:00
Eelco Dolstra
ffedee6ed5 Start ssh-agent as a user unit
This has some advantages:

* You get ssh-agent regardless of how you logged in. Previously it was
  only started for X11 sessions.

* All sessions of a user share the same agent. So if you added a key
  on tty1, it will also be available on tty2.

* Systemd will restart ssh-agent if it dies.

* $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is
  more secure than /tmp.

For bonus points, we should patch ssh-agent to support socket-based
activation...
2014-04-18 00:45:26 +02:00
Eelco Dolstra
179acfb664 Allow upstream systemd units to be extended
If you define a unit, and either systemd or a package in
systemd.packages already provides that unit, then we now generate a
file /etc/systemd/system/<unit>.d/overrides.conf. This makes it
possible to use upstream units, while allowing them to be customised
from the NixOS configuration. For instance, the module nix-daemon.nix
now uses the units provided by the Nix package. And all unit
definitions that duplicated upstream systemd units are finally gone.

This makes the baseUnit option unnecessary, so I've removed it.
2014-04-17 18:52:31 +02:00
Domen Kožar
3a9f28ee08 Merge pull request #2185 from lethalman/gnome3
tracker, licenses.cc-by-30, gnome-user-docs, upgrade sushi, gnome-keyring service, gnome-user-share, gnome-tweak-tool, gnome-shell-extensions, xdg-user-dirs
2014-04-16 18:08:00 +02:00
Eelco Dolstra
150d3b0095 no-x-libs.nix: Disable su xauth forwarding, and X11 dependency in dbus 2014-04-16 16:58:06 +02:00
William A. Kennington III
dd209e901c cpu-freq: Use cpupower instead of cpufrequtils
Additionally, put the powersave utility in charge of loading the
cpufrequency modules based on the governor specified in the
configuration.
2014-04-16 01:10:26 +02:00
Ricardo M. Correia
d8b21c2224 nixos: Fix sysctl option merging
Using pkgs.lib.mkOverride in a sysctl option would throw a bogus error.

Also, if you defined a sysctl multiple times in the same configuration,
only one of the values would be picked up, while the others were silently
discarded.

This patch should fix both issues. If you define a sysctl multiple
times at your highest defined priority level, you will get a proper
error with detailed location information.
2014-04-15 21:52:04 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Luca Bruno
add4977a91 system-path, gnome3: run update-desktop-database to create the mime cache
This allows programs such as yelp to handle help:// protocol schemas
2014-04-14 09:58:03 +02:00
Austin Seipp
172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00