3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

613 commits

Author SHA1 Message Date
Florian Klink f3af2df658
Merge pull request #111635 from xaverdh/hide-pid-broken
nixos/hidepid: remove module, it's broken
2021-02-23 00:20:29 +01:00
Dominik Xaver Hörl 893d911b55 nixos/hidepid: drop the module as the hidepid mount option is broken
This has been in an unusable state since the switch to cgroups-v2.
See https://github.com/NixOS/nixpkgs/issues/73800 for details.
2021-02-21 13:51:37 +01:00
nicoo 39383a8494 nixos/rngd: Remove module entirely, leave an explaination
Per @shlevy's request on #96092.
2021-02-21 01:32:50 +01:00
Sandro fccda5aae6
Merge pull request #108819 from SuperSandro2000/nginx-module 2021-01-30 21:46:35 +01:00
Florian Klink dfb2bc857b nixos/acme: fix docs 2021-01-29 18:56:28 +01:00
Florian Klink 82102fc37d
Merge pull request #100356 from m1cr0man/docsupdate
nixos/acme: Docs, explain how to set permissions
2021-01-29 17:16:06 +01:00
Florian Klink 1030745555
Merge pull request #106857 from m1cr0man/master
nixos/acme: Fixes for account creation and remove tmpfiles usage
2021-01-27 17:52:16 +01:00
Jörg Thalheim 0998756db2
Merge pull request #109342 from Mic92/wrappers 2021-01-27 14:32:38 +00:00
Jörg Thalheim dbd05a5289
Update nixos/modules/security/wrappers/wrapper.nix
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
2021-01-14 09:00:34 +00:00
Jörg Thalheim eadffd9154
nixos/wrappers: fix applying capabilities
With libcap 2.41 the output of cap_to_text changed, also the original
author of code hoped that this would never happen.
To counter this now the security-wrapper only relies on the syscall
ABI, which is more stable and robust than string parsing. If new
breakages occur this will be more obvious because version numbers will
be incremented.
Furthermore all errors no make execution explicitly fail instead of
hiding errors behind debug environment variables and the code style was
more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/)
2021-01-14 08:46:57 +01:00
Lucas Savva 514a0b6d8a nixos/acme: Fix bash issue, enable debug
I found a logical error in the bash script, but during
debugging I enabled command echoing and realised it
would be a good idea to have it enabled all the time for
ease of bug reporting.
2021-01-12 19:11:52 +00:00
Frederik Rietdijk b209617ff0 plasma5Packages: alias to the libsForQt5 used to build the plasma5 desktop
For in NixOS it is beneficial if both plasma5 and pam use the same Qt5
version. Because the plasma5 desktop may use a different version as the
default Qt5 version, we introduce plasma5Packages.
2021-01-10 15:59:45 +01:00
Lucas Savva 5b4f9c4244 nixos/acme: Set up webroot as non-root user 2021-01-09 19:37:03 +00:00
Lucas Savva a01df7dc46 nixos/acme: Incorporate review suggestions 2021-01-09 19:15:03 +00:00
Sandro Jäckel a7e31c64d9
nixos/acme: Suggest directory used security.acme.certs.<name>.webroot 2021-01-09 02:20:49 +01:00
Milan Pässler 018072ea22 nixos/pam: use pam_faillock instead of pam_tally
Fixes #108313

\#107185 removed pam_tally, in favor of pam_faillock (see release notes).
2021-01-03 15:54:23 +01:00
Lucas Savva 92a3a37153 nixos/acme: Remove all systemd-tmpfiles usage
- Added an ExecPostStart to acme-$cert.service when webroot is defined to create the acme-challenge
directory and fix required permissions. Lego always tries to create .well-known and acme-challenge,
thus if any permissions in that tree are wrong it will crash and break cert renewal.
- acme-fixperms now configured with acme User and Group, however the script still runs as root. This
ensures the StateDirectories are owned by the acme user.
- Switched to list syntax for systemd options where multiple values are specified.
2020-12-29 15:01:08 +00:00
Florian Klink f71e439688 nixos/acme: fix typo in docs 2020-12-28 13:19:15 +01:00
Lucas Savva e5913db0c9 nixos/acme: update documentation and release notes
The instructions on recreating the cert were missing --what=state.
Also added a note on ensuring the group of manual certs is correct.
2020-12-28 00:35:45 +00:00
Lucas Savva f670e1dc23 nixos/acme: change service umask to 0023
Closes #106603
Some webservers (lighttpd) require that the
files they are serving are world readable. We
do our own chmods in the scripts anyway, and
lego has sensible permissions on its output
files, so this change is safe enough.
2020-12-28 00:35:20 +00:00
Lucas Savva 351065f970 nixos/acme: reduce dependency on tmpfiles
systemd-tmpfiles is no longer required for
most of the critical paths in the module. The
only one that remains is the webroot
acme-challenge directory since there's no
other good place for this to live and forcing
users to do the right thing alone will only
create more issues.
2020-12-28 00:35:20 +00:00
Lucas Savva 85769a8cd8 nixos/acme: prevent mass account creation
Closes #106565
When generating multiple certificates which all
share the same server + email, lego will attempt
to create an account multiple times. By adding an
account creation target certificates which share
an account will wait for one service (chosen at
config build time) to complete first.
2020-12-28 00:35:18 +00:00
Florian Klink 49853c69f5
Merge pull request #101482 from m1cr0man/jwsfix
nixos/acme: lego run when account is missing
2020-12-20 11:06:19 +01:00
Lucas Savva e3120397a5 nixos/acme: Remove dependency on system version for hash
This means that all systems running from master will trigger
new certificate creation on next rebuild. Race conditions around
multiple account creation are fixed in #106857, not this commit.
2020-12-18 12:57:35 +00:00
Silvan Mosberger 6df56e1cb8
Merge pull request #103866 from cole-h/doas
doas: 6.6.1 -> 6.8
2020-11-30 19:02:55 +01:00
Frederik Rietdijk b2a3891e12 Merge master into staging-next 2020-11-27 15:09:19 +01:00
Graham Christensen d9c3f13df3
Merge pull request #104776 from grahamc/utillinux
utillinux: rename to util-linux
2020-11-24 15:14:36 -05:00
Graham Christensen bc49a0815a
utillinux: rename to util-linux 2020-11-24 12:42:06 -05:00
adisbladis ba1fa0c604
pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles
If a system administrator has explicitly configured key locations this
should be taken into account by `sudo`.
2020-11-24 02:47:07 +01:00
Florian Klink d22b3ed4bc systemd: switch to unified cgroup hierarchy by default
See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for
details on why this is desirable, and how it impacts containers.

Users that need to keep using the old cgroup hierarchy can re-enable it
by setting `systemd.unifiedCgroupHierarchy` to `false`.

Well-known candidates not supporting that hierarchy, like docker and
hidepid=… will disable it automatically.

Fixes #73800
2020-11-19 16:56:46 +01:00
Cole Helbling 19c0927d30
nixos/doas: add noLog option 2020-11-14 19:16:56 -08:00
Linus Heckemann 2b06415ca1
Merge pull request #101370 from m1cr0man/ssl-test-certs
nixos/acme: Permissions and tests fixes
2020-10-28 17:21:57 +01:00
Nick Hu 921287e7f0
Merge pull request #97726 from NickHu/pam_gnupg
pam: add support for pam_gnupg
2020-10-26 15:27:13 +00:00
Lucas Savva 79ecf069f5
nixos/acme: Add data.email to othersHash in nixos > 20.09 2020-10-24 20:40:02 +01:00
Lucas Savva 76401c9a3b
nixos/acme: lego run whenen account is missing 2020-10-23 18:52:42 +01:00
Lucas Savva 89d134b3fd
nixos/acme: Use more secure chmods
Previous settings would make files executable in
the certs directories.
2020-10-22 14:04:31 +01:00
David Reiss 49a749c729 nixos/pam_mount: add pamMount attribute to users
This attribute is a generalized version of cryptHomeLuks for creating an
entry in /etc/security/pam_mount.conf.xml. It lets the configuration
control all the attributes of the <volume> entry, instead of just the
path. The default path remains the value of cryptHomeLuks, for
compatibility.
2020-10-14 22:55:55 -07:00
Dominique Martinet f8d78b9f67
confinement: fix assert for serviceConfig.ProtectSystem
serviceConfig.ProtectSystem is usually a string so if set, the assert
itself would error out leaving no useable trace:

  # nixos-rebuild switch --show-trace
  building Nix...
  building the system configuration...
  error: while evaluating the attribute 'config.system.build.toplevel' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:293:5:
  while evaluating 'foldr' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:52:20, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:128:12:
  while evaluating 'fold'' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:55:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:59:8:
  while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:121:50, called from undefined position:
  while evaluating the attribute 'assertion' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/security/systemd-confinement.nix:163:7:
  value is a string while a Boolean was expected

Fix the check to give a sensible assert message instead; the attribute
should either be not set or false bool to pass.

Closes: #99000
2020-10-14 11:56:18 +02:00
Lucas Savva d95f020a53
nixos/acme: Docs, explain how to set permissions
As of 20.09 the /var/lib/acme/.challenges permissions will
not automatically be correct. Add instructions on how to
set them correctly.
2020-10-12 19:26:00 +01:00
Nick Hu 948e05bb28
pam: add support for pam_gnupg 2020-10-12 13:29:40 +01:00
Florian Klink a1cb02148b
Merge pull request #99912 from m1cr0man/ocspfix
nixos/acme: Fix ocspMustStaple option and add test
2020-10-11 23:44:33 +02:00
zowoq f9bb39e294 nixos/pam: remove trailing whitespace 2020-10-09 18:31:20 +10:00
Miles Breslin 8e628f8eea
nixos/pam: Add option to set pam-u2f appid (#73591) 2020-10-08 14:37:40 -04:00
Jeroen Simonetti cc3ce9a13a nixos/security/acme: Add DNS resolver option
When using the ACME DNS-01 challenge, there is a possibility of a
failure to resolve the challenge if the record is not propagated
fast enough. To circumvent this generic DNS problem, this adds
a setting to explicitly tell the ACME provider to use a certain DNS
resolver to lookup the challenge.

Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
2020-10-07 13:01:08 +02:00
Vladimír Čunát 420f89ceb2
Revert "apparmor: fix and improve the service"
This reverts commit fb6d63f3fd.

I really hope this finally fixes #99236: evaluation on Hydra.
This time I really did check basically the same commit on Hydra:
https://hydra.nixos.org/eval/1618011

Right now I don't have energy to find what exactly is wrong in the
commit, and it doesn't seem important in comparison to nixos-unstable
channel being stuck on a commit over one week old.
2020-10-07 12:22:18 +02:00
Lucas Savva 1edd91ca09
nixos/acme: Fix ocspMustStaple option and add test
Some of the testing setup for OCSP checking was wrong and
has been fixed too.
2020-10-07 00:18:13 +01:00
Andreas Rammhold 2c0ee52d91
nixos/security/acme: order after nss-lookup.target
This should hopefully solve races with DNS servers (such as unbound)
during the activation of a new generation. Previously unbound could
still be unavailable and thus the acme script would fail.
2020-10-06 22:52:55 +02:00
Tim Steinbach 9646ae97c8
pam: Fix interaction with samba
9544c6078e / #96672 removed the samba option
`syncPasswordsByPam`.
Need to remove this option from the pam module, otherwise it will cause build errors
2020-10-05 09:13:16 -04:00
Doron Behar 9544c6078e
Merge pull request #96672 from doronbehar/module/samba
nixos/samba: remove upstream deprecated syncPasswordsByPam option
2020-10-04 11:29:56 +03:00
Maximilian Bosch d2dc0ae203
nixos/sudo: add package option
The `package`-option is always useful if modifying a package in an
overlay would mean that a lot of other packages need to be rebuilt as
well.

In case of `sudo` this is actually the case: when having an override for
it (e.g. for `withInsults = true;`), you'd have to rebuild e.g. `zfs`
and `grub` although that's not strictly needed.
2020-10-01 13:00:52 +02:00