3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

290 commits

Author SHA1 Message Date
Vincent Haupert b88ddadf8b nixos/intel-sgx: add option for Intel SGX DCAP compatibility
The Intel SGX DCAP driver makes the SGX application enclave device and
the SGX provisioning enclave available below the path `/dev/sgx/`. Since
Linux 5.11, a derivation of the DCAP driver is part of the kernel and
available through the X86_SGX config option; NixOS enables this option
by default.

In contrast to the out-of-tree DCAP driver, the in-tree SGX driver uses
a flat hierarchy for the SGX devices resulting in the paths
`/dev/sgx_enclave` for the application enclave device and
`/dev/sgx_provison` for the provisioning enclave device.

As of this commit, even the latest version of the Intel SGX PSW
libraries still tries to open the (legacy) DCAP paths only. This means
that SGX software currently cannot find the required SGX devices even if
the system actually supports SGX through the in-tree driver. Intel wants
to change this behavior in an upcoming release of intel/linux-sgx.

Having said that, SGX software assuming the SGX devices below
`/dev/sgx/` will prevail. Therefore, this commit introduces the NixOS
configuration option `hardware.cpu.intel.sgx.enableDcapCompat` which
creates the necessary symlinks to support existing SGX software. The
option defaults to true as it is currently the only way to support SGX
software. Also, enabling the SGX AESM service enables the option.

The permissions of the devices `/dev/sgx_enclave` and
`/dev/sgx_provison` remain the same, i.e., are not affected regardless
of having the new option enabled or not.
2022-01-11 14:02:16 +01:00
pennae fc614c37c6 nixos/documentation: split options doc build
most modules can be evaluated for their documentation in a very
restricted environment that doesn't include all of nixpkgs. this
evaluation can then be cached and reused for subsequent builds, merging
only documentation that has changed into the cached set. since nixos
ships with a large number of modules of which only a few are used in any
given config this can save evaluation a huge percentage of nixos
options available in any given config.

in tests of this caching, despite having to copy most of nixos/, saves
about 80% of the time needed to build the system manual, or about two
second on the machine used for testing. build time for a full system
config shrank from 9.4s to 7.4s, while turning documentation off
entirely shortened the build to 7.1s.
2022-01-02 19:46:13 +01:00
pennae 3dbb117aa5 nixos/aesmd: add missing defaultText 2021-12-29 20:12:03 +01:00
Maximilian Bosch 8f9f754271
nixos/privacyidea: increase buffer-size of uwsgi from 4096 to 8192
When accessing the Audit log, I get an HTTP 502 when the frontend
requests `/audit` and I get the following error in my `nginx`-log:

    Dec 20 22:12:48 ldap nginx[336]: 2021/12/20 22:12:48 [error] 336#336: *8421 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 10.237.0.1, server: _, request: "GET /audit/?action=**&action_detail=**&administrator=**&client=**&date=**&duration=**&info=**&page=1&page_size=10&policies=**&privacyidea_server=**&realm=**&resolver=**&serial=**&sortorder=desc&startdate=**&success=**&tokentype=**&user=** HTTP/1.1", upstream: "uwsgi://unix:/run/privacyidea/socket:", host: "ldap.ist.nicht-so.sexy", referrer: "https://ldap.ist.nicht-so.sexy/"

This is because of an "invalid request block size"-error according to
`journalctl -u privacyidea.service`:

    Dec 20 22:12:48 ldap uwsgi[10721]: invalid request block size: 4245 (max 4096)...skip

Increasing the buffer to 8192 fixes the problem for me.
2021-12-21 00:51:45 +01:00
Graham Christensen 06edb74413
Merge pull request #148785 from pennae/more-option-doc-staticizing
treewide: more defaultText for options
2021-12-17 11:14:08 -05:00
Vincent Haupert 0b5c9f81e2 nixos/aesmd: add module
Co-authored-by: Alex Zero <joseph@marsden.space>
2021-12-10 10:18:31 +01:00
pennae ed673a69db treewide: add defaultText for options with simple cfg.* expression defaults
adds defaultText for options with defaults that use only literals, full config.*
paths, and the cfg shortcut binding.
2021-12-09 01:14:16 +01:00
pennae fb0e5be843 treewide: add defaultText for options with simple interpolation defaults
adds defaultText for all options that use `cfg.*` values in their
defaults, but only for interpolations with no extra processing (other
than toString where necessary)
2021-12-09 01:13:48 +01:00
Robert Hensing 862d167f17
Merge pull request #147441 from pennae/option-doc-staticizing
nixos/*: add trivial defaultText to options where applicable
2021-12-06 01:35:38 +01:00
pennae 2512455639 nixos/*: add trivial defaultText for options with simple defaults 2021-12-02 22:35:04 +01:00
Moritz Hedtke 9d01ce82ac
nixos/tests: add step-ca test 2021-11-13 12:40:47 +01:00
Sandro e5ac2e1a52
Merge pull request #122452 from ju1m/tor 2021-11-09 21:50:57 +01:00
Jasper Woudenberg 810b3b5fcd nixos/yubikey-agent add maintainer jwoudenberg 2021-10-29 23:13:50 +02:00
Jasper Woudenberg 4ceb33b982 nixos/yubikey-agent: start enabled agent on boot
This adds a `wantedBy` clause to the user systemd service for
yubikey-agent, to ensure an enabled agent is started on boot. This
brings the behavior inline with existing documentation.

If the user has selected a graphical pinentry program, then we need to
wait for the graphical environment to exist before starting the
yubikey-agent. I've found that if we start the agent earlier it will
fail when we perform an ssh command later.
2021-10-29 23:13:46 +02:00
Wei Tang 7c7cd951c5
nixos/step-ca: fix comment typo 2021-10-26 20:47:30 +02:00
Maximilian Bosch 47fc40d5ab
pythonPackages.privacyidea-ldap-proxy: 0.6.1 -> 0.6.2, switch to python3 2021-10-18 21:14:35 +02:00
Naïm Favier 2ddc335e6f
nixos/doc: clean up defaults and examples 2021-10-04 12:47:20 +02:00
Aaron Andersen 559449530f
Merge pull request #132319 from onny/opensnitch
nixos/opensnitch: Add module for opensnitch
2021-09-19 11:31:21 -04:00
rnhmjoj 64f5d681d9
nixos/physlock: fix broken wrapper
- `user` doesn't exist -> `owner`
- set `setuid,group` as well (no longer optional)
2021-09-19 11:53:41 +02:00
Jonas Heinrich 94f775024e Opensnitch: Add module 2021-09-14 18:51:23 +02:00
Bobby Rong 39261adc92
Merge pull request #135626 from delroth/tor-netlink
nixos/tor: allow AF_NETLINK address family
2021-09-14 22:57:34 +08:00
Guillaume Girol 3592034595
Merge pull request #133166 from symphorien/nonogroup
Don't default to nogroup for the primary group of users.
2021-09-13 18:29:21 +00:00
Guillaume Girol bc3bca822a nixos: define the primary group of users where needed 2021-09-12 14:59:30 +02:00
Maximilian Bosch 69e75754d5
nixos/privacyidea: use sudo(8) that's configured via the module 2021-09-08 22:45:50 +02:00
Pierre Bourdon 6b70d3e911
nixos/tor: allow AF_NETLINK address family
Tor attempts to detect what external IP address a machine is using by
listing addresses on all network interfaces on the system. This listing
is done using getifaddrs(3), which relies on netlink in order to get
IPv6 address information.

This change fixes Tor not finding the relay's IPv6 address unless
explicitly configured via either an ORPort directive or via DNS
resolution of the machine hostname.
2021-08-25 06:03:41 +02:00
Elis Hirwing 09a49354b6
nixos/hockeypuck: Add service for hockeypuck 2021-07-19 07:33:01 +02:00
Antoine Martin 2463620fc2
nixos/vaultwarden: make package configurable (#113216)
This allows the user to override the version of Vaultwarden used by the
service, if using an overlay to keep up to date with releases for
example.
2021-07-14 17:20:10 -04:00
K900 dc1b56c714 vaultwarden: update to 1.22.1, rename from bitwarden_rs
I tried to make this as non-breaking as possible, but it will still
break things slightly for people expecting certain file names in the
packages themselves.
2021-07-01 12:31:20 +03:00
Niklas Hambüchen a48fea4c5e sshd service: Default to INFO logLevel (upstream default).
The previous justification for using "VERBOSE" is incorrect,
because OpenSSH does use level INFO to log "which key was used
to log in" for sccessful logins, see:
6247812c76/auth.c (L323-L328)

Also update description to the wording of the sshd_config man page.

`fail2ban` needs, sshd to be "VERBOSE" to work well, thus
the `fail2ban` module sets it to "VERBOSE" if enabled.

The docs are updated accordingly.
2021-06-23 01:49:11 +02:00
Maximilian Bosch 5aad4e73b6
privacyIDEA: 3.5.2 -> 3.6
ChangeLog: https://github.com/privacyidea/privacyidea/releases/tag/v3.6

Unfortunately we have to use `sqlalchemy` at 1.3 for `sqlsoup`. As
`sqlalchemy` is required by a lot of packages, I decided to move this
package out of `pythonPackages` itself and instantiate a new
`pythonPackages` inside the expression where `sqlalchemy` points to
`sqlalchemy_1_3`.
2021-06-22 15:36:36 +02:00
talyz b4c069b147
nixos/fail2ban: Remove reloadIfChanged = true
This makes the service fail when upgrading the package, so let's
properly restart it instead.
2021-06-16 13:52:46 +02:00
Ivan Kozik d95960e275 nixos/bitwarden_rs: fix startup on 32 thread machines
LimitNPROC=64 is too low for bitwarden_rs to start on a 32 thread machine.
Remove the limit.

This fixes:

```
bitwarden_rs[38701]: /--------------------------------------------------------------------\
bitwarden_rs[38701]: |                       Starting Bitwarden_RS                        |
bitwarden_rs[38701]: |--------------------------------------------------------------------|
bitwarden_rs[38701]: | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
bitwarden_rs[38701]: | official channels to report bugs/features, regardless of client.   |
bitwarden_rs[38701]: | Send usage/configuration questions or feature requests to:         |
bitwarden_rs[38701]: |   https://bitwardenrs.discourse.group/                             |
bitwarden_rs[38701]: | Report suspected bugs/issues in the software itself at:            |
bitwarden_rs[38701]: |   https://github.com/dani-garcia/bitwarden_rs/issues/new           |
bitwarden_rs[38701]: \--------------------------------------------------------------------/
bitwarden_rs[38701]: [INFO] No .env file found.
bitwarden_rs[38701]: [2021-05-24 03:34:41.121][bitwarden_rs::api::core::sends][INFO] Initiating send deletion
bitwarden_rs[38701]: [2021-05-24 03:34:41.122][start][INFO] Rocket has launched from http://127.0.0.1:8222
bitwarden_rs[38701]: [2021-05-24 03:34:41.126][panic][ERROR] thread 'unnamed' panicked at 'failed to spawn thread: Os { code: 11, kind: WouldBlock, message: "Resource temporarily unavailable" }': /build/rustc-1.52.1-src/library/std/src/thread/mod.rs:620
bitwarden_rs[38701]:    0: bitwarden_rs::init_logging::{{closure}}
bitwarden_rs[38701]:    1: std::panicking::rust_panic_with_hook
bitwarden_rs[38701]:    2: std::panicking::begin_panic_handler::{{closure}}
bitwarden_rs[38701]:    3: std::sys_common::backtrace::__rust_end_short_backtrace
bitwarden_rs[38701]:    4: rust_begin_unwind
bitwarden_rs[38701]:    5: core::panicking::panic_fmt
bitwarden_rs[38701]:    6: core::result::unwrap_failed
bitwarden_rs[38701]:    7: hyper::server::listener::spawn_with
bitwarden_rs[38701]:    8: hyper::server::listener::ListenerPool<A>::accept
bitwarden_rs[38701]:    9: std::sys_common::backtrace::__rust_begin_short_backtrace
bitwarden_rs[38701]:   10: core::ops::function::FnOnce::call_once{{vtable.shim}}
bitwarden_rs[38701]:   11: std::sys::unix:🧵:Thread:🆕:thread_start
bitwarden_rs[38701]:   12: start_thread
bitwarden_rs[38701]:   13: __GI___clone
bitwarden_rs[38701]: [2021-05-24 03:34:41.126][panic][ERROR] thread 'main' panicked at 'internal error: entered unreachable code: the call to `handle_threads` should block on success': /build/bitwarden_rs-1.20.0-vendor.tar.gz/rocket/src/rocket.rs:751
bitwarden_rs[38701]:    0: bitwarden_rs::init_logging::{{closure}}
bitwarden_rs[38701]:    1: std::panicking::rust_panic_with_hook
bitwarden_rs[38701]:    2: std::panicking::begin_panic_handler::{{closure}}
bitwarden_rs[38701]:    3: std::sys_common::backtrace::__rust_end_short_backtrace
bitwarden_rs[38701]:    4: rust_begin_unwind
bitwarden_rs[38701]:    5: core::panicking::panic_fmt
bitwarden_rs[38701]:    6: rocket:🚀:Rocket::launch
bitwarden_rs[38701]:    7: bitwarden_rs::main
bitwarden_rs[38701]:    8: std::sys_common::backtrace::__rust_begin_short_backtrace
bitwarden_rs[38701]:    9: std::rt::lang_start::{{closure}}
bitwarden_rs[38701]:   10: std::rt::lang_start_internal
bitwarden_rs[38701]:   11: main
```
2021-05-24 04:36:17 +00:00
Martin Weinelt 7bd65d54f7 treewide: remove nand0p as maintainer
While looking at the sphinx package I noticed it was heavily
undermaintained, which is when we noticed nand0p has been inactive for
roughly 18 months. It is therefore prudent to assume they will not be
maintaining their packages, modules and tests.

- Their last contribution to nixpkgs was in 2019/12
- On 2021/05/08 I wrote them an email to the address listed in the
  maintainer-list, which they didn't reply to.
2021-05-17 01:50:49 +02:00
Tom 33a4c43126
nixos/tor: fix HidServAuth (#122439)
* add an example for services.tor.settings.HidServAuth

* fix HidServAuth validation to require ".onion"
  Per https://manpages.debian.org/testing/tor/torrc.5.en.html :
  > Valid onion addresses contain 16 characters in a-z2-7 plus ".onion"
2021-05-11 10:10:32 +02:00
Julien Moutinho cd1f6bc712 nixos/tor: harden ProcSubset and ProtectProc 2021-05-10 16:50:41 +02:00
Jean-Baptiste Giraudeau 62f241d445 nixos/oauth2_proxy_nginx: add nginx config only if oauth2_proxy is enabled. 2021-05-03 11:23:03 -07:00
Luke Granger-Brown be598f3980
Merge pull request #120541 from pennae/fail2ban
nixos/fail2ban: add maxretry/extraPackages options
2021-05-01 15:09:24 +01:00
pennae afb6fe2fff nixos/fail2ban: add extraPackages option
some ban actions need additional packages (eg ipset). since actions can be
provided by the user we need something general that's easy to configure.

we could also enable ipset regardless of the actual configuration of the system
if the iptables firewall is in use (like sshguard does), but that seems very
clumsy and wouldn't easily solve the binary-not-found problems other actions may
also have.
2021-04-24 18:14:56 +02:00
pennae 25c827b3cc nixos/fail2ban: add maxretry option
it's not possible to set a different default maxretry value in the DEFAULT jail
because the module already does so. expose the maxretry option to the
configuration to remedy this. (we can't really remove it entirely because
fail2ban defaults to 5)
2021-04-24 17:55:56 +02:00
Aaron Andersen 5f2a8deb17
Merge pull request #120324 from pennae/restart-sshguard
nixos/sshguard: restart sshguard when services/backend changes
2021-04-23 16:56:30 -04:00
pennae 265d31bcbd nixos/sshguard: restart sshguard when services/backend changes
backends changing shouldn't be very likely, but services may well change. we
should restart sshguard from nixos-rebuild instead of merely plopping down a new
config file and waiting for the user to restart sshguard.
2021-04-23 16:16:37 +02:00
Yorick van Pelt 279c7d43ee
nixos/oauth2_proxy: fix package name in nixos module 2021-04-18 14:21:38 +02:00
Graham Christensen ffd29c76f6
Merge pull request #117928 from ymatsiuk/fprintd-tod
nixos/fprintd: add TOD support
2021-04-15 11:51:09 -04:00
Yurii Matsiuk b29ed56049
nixos/fprintd: add TOD support
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Signed-off-by: Yurii Matsiuk <ymatsiuk@users.noreply.github.com>
2021-04-15 08:55:39 +02:00
Symphorien Gibol 7a87973b4c nixos/users: require one of users.users.name.{isSystemUser,isNormalUser}
As the only consequence of isSystemUser is that if the uid is null then
it's allocated below 500, if a user has uid = something below 500 then
we don't require isSystemUser to be set.

Motivation: https://github.com/NixOS/nixpkgs/issues/112647
2021-04-14 20:40:00 +02:00
Sandro ab1a223747
Merge pull request #112322 from mohe2015/module/declarative-step-ca 2021-04-12 17:35:54 +02:00
Hedtke, Moritz 01b1ddfa70 Add mohe2015 as maintainer to step-ca and nixos/step-ca 2021-04-09 14:57:43 +02:00
Hedtke, Moritz d848dd07e6 nixos/step-ca: Add declarative step-ca service
Co-authored-by: midchildan <git@midchildan.org>
2021-04-09 14:57:43 +02:00
Sandro Jäckel 9378fdf87e
iproute: deprecate alias 2021-04-04 01:43:46 +02:00
Maximilian Bosch 4a4f7dfb77
nixos/privacyidea: use envsubst to avoid leaking secrets to the store 2021-03-31 13:27:30 +02:00