3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

783 commits

Author SHA1 Message Date
Arian van Putten 55bd770662
Merge pull request #167514 from shimunn/pam_u2f_module
nixos/security/pam: added `origin` option to pamu2f
2022-07-16 10:56:26 +02:00
shimun 327d99c0ca
nixos/security/pam: added origin option to pamu2f 2022-07-15 20:38:24 +02:00
pennae 320aa2a791 treewide: attempt at markdown option docs 2022-06-12 12:44:38 +02:00
Wanja Zaeske 305b633423 nixos/modules/security/pam: fix #95798 & #128116
Previously, `pam_unix.so` was `required` to set PAM_AUTHTOK so that
dependent pam modules (such as gnome keyering) could use the password
(for example to unlock a keyring) upon login of the user. This however
broke any additional auth providers (such as AD or LDAP): for any
non-local user `pam_unix.so` will not yield success, thus eventually the
auth would fail (even the following auth providers were actually
executed, they could not overrule the already failed auth).

This change replaces `required` by `optional`. Therefore, the
`pam_unix.so` is executed and can set the PAM_AUTHTOK for the following
optional modules, _even_ if the user is not a local user. Therefore, the
gnome keyring for example is unlocked both for local and additional
users upon login, and login is working for non-local users via
LDAP/AD.
2022-05-18 15:22:46 +02:00
Linus Heckemann 7c035dbb75
Merge pull request #156822 from xfix/wrapper-assert-argc-at-least-one
nixos/wrappers: require argc to be at least one
2022-05-16 18:52:51 +02:00
Janne Heß e6fb1e63d1
Merge pull request #171650 from helsinki-systems/feat/config-systemd-package
treewide: pkgs.systemd -> config.systemd.package
2022-05-09 10:23:04 +02:00
Ivan Kozik f18cc2cf02 nixos/security/wrappers: chown user:group instead of user.group to fix warnings from coreutils 9.1
activating the configuration...
setting up /etc...
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.messagebus’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
reloading user units for root...
2022-05-05 22:05:18 +00:00
Janne Heß 57cd07f3a9
treewide: pkgs.systemd -> config.systemd.package
This ensures there is only one systemd package when e.g. testing the
next systemd version.
2022-05-05 20:00:31 +02:00
Artturi 0b64a2d69a
Merge pull request #167108 from aaronjheng/oath-toolkit
oath-toolkit: Rename from oathToolkit to oath-toolkit
2022-05-05 03:58:39 +03:00
Luke Granger-Brown 1be4ba01ac
Merge pull request #164025 from lukegb/pam-ussh
pam-ussh: init at unstable-20210615
2022-04-11 01:25:45 +01:00
Jennifer Graul 3a8da578a7 nixos/pam_mount: add more config options 2022-04-09 15:33:13 +02:00
Jennifer Graul b20a1c34c2 nixos/pam: fix pam_mount called multiple times
fixes automatic unmounting with pam_mount by preventing it to be called
multiple times at login
2022-04-09 15:33:13 +02:00
Aaron Jheng f0c470f5eb
oath-toolkit: Rename from oathToolkit to oath-toolkit 2022-04-04 01:11:06 +00:00
Alexander T e234e5e8f8
NixOS manual: fix ACME certificates in Nginx configuration example 2022-04-02 19:15:25 +03:00
Luke Granger-Brown 1853015550 nixos/pam: add support for pam-ussh
pam-ussh allows authorizing using an SSH certificate stored in your
SSH agent, in a similar manner to pam-ssh-agent-auth, but for
certificates rather than raw public keys.
2022-03-13 17:31:46 +00:00
piegames cd7e516b26
Merge pull request #156858: nixos/polkit: don't enable by default 2022-03-05 14:48:35 +01:00
Pascal Bach b5fa1aa46f
Merge pull request #162496 from Baughn/master
pam: Fix google-authenticator reference
2022-03-04 17:18:17 +01:00
aszlig 7286be7e81 nixos/systemd-confinement: Allow shipped unit file
In issue #157787 @martined wrote:

  Trying to use confinement on packages providing their systemd units
  with systemd.packages, for example mpd, fails with the following
  error:

  system-units> ln: failed to create symbolic link
  '/nix/store/...-system-units/mpd.service': File exists

  This is because systemd-confinement and mpd both provide a mpd.service
  file through systemd.packages. (mpd got updated that way recently to
  use upstream's service file)

To address this, we now place the unit file containing the bind-mounted
paths of the Nix closure into a drop-in directory instead of using the
name of a unit file directly.

This does come with the implication that the options set in the drop-in
directory won't apply if the main unit file is missing. In practice
however this should not happen for two reasons:

  * The systemd-confinement module already sets additional options via
    systemd.services and thus we should get a main unit file
  * In the unlikely event that we don't get a main unit file regardless
    of the previous point, the unit would be a no-op even if the options
    of the drop-in directory would apply

Another thing to consider is the order in which those options are
merged, since systemd loads the files from the drop-in directory in
alphabetical order. So given that we have confinement.conf and
overrides.conf, the confinement options are loaded before the NixOS
overrides.

Since we're only setting the BindReadOnlyPaths option, the order isn't
that important since all those paths are merged anyway and we still
don't lose the ability to reset the option since overrides.conf comes
afterwards.

Fixes: https://github.com/NixOS/nixpkgs/issues/157787
Signed-off-by: aszlig <aszlig@nix.build>
2022-03-02 11:42:44 -08:00
Svein Ove Aas cf0f406ed6 pam: Fix google-authenticator reference 2022-03-02 15:18:58 +00:00
Alyssa Ross 1176525f87 treewide: remove obsolete kernel version checks
We don't support Linux kernels older than 4.4 in Nixpkgs.
2022-02-19 21:09:19 +00:00
Nikolay Amiantov 524aecf61e google-compute-config: update config 2022-02-05 23:33:10 +03:00
Konrad Borowski 2a6a3d2c47 nixos/wrappers: require argc to be at least one
setuid applications were exploited in the past with an empty
argv, such as pkexec using CVE-2021-4034.
2022-01-28 12:26:20 +01:00
Konrad Borowski 1009d6e79e nixos/wrappers: create a new assert macro that always asserts
C's assert macro only works when NDEBUG is undefined. Previously
NDEBUG was undefined incorrectly which meant that the assert
macros in wrapper.c did not work.
2022-01-28 12:26:19 +01:00
polykernel 4a9d9928dc nixos/nix-daemon: use structural settings
The `nix.*` options, apart from options for setting up the
daemon itself, currently provide a lot of setting mappings
for the Nix daemon configuration. The scope of the mapping yields
convience, but the line where an option is considered essential
is blurry. For instance, the `extra-sandbox-paths` mapping is
provided without its primary consumer, and the corresponding
`sandbox-paths` option is also not mapped.

The current system increases the maintenance burden as maintainers have to
closely follow upstream changes. In this case, there are two state versions
of Nix which have to be maintained collectively, with different options
avaliable.

This commit aims to following the standard outlined in RFC 42[1] to
implement a structural setting pattern. The Nix configuration is encoded
at its core as key-value pairs which maps nicely to attribute sets, making
it feasible to express in the Nix language itself. Some existing options are
kept such as `buildMachines` and `registry` which present a simplified interface
to managing the respective settings. The interface is exposed as `nix.settings`.

Legacy configurations are mapped to their corresponding options under `nix.settings`
for backwards compatibility.

Various options settings in other nixos modules and relevant tests have been
updated to use structural setting for consistency.

The generation and validation of the configration file has been modified to
use `writeTextFile` instead of `runCommand` for clarity. Note that validation
is now mandatory as strict checking of options has been pushed down to the
derivation level due to freeformType consuming unmatched options. Furthermore,
validation can not occur when cross-compiling due to current limitations.

A new option `publicHostKey` was added to the `buildMachines`
submodule corresponding to the base64 encoded public host key settings
exposed in the builder syntax. The build machine generation was subsequently
rewritten to use `concatStringsSep` for better performance by grouping
concatenations.

[1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
2022-01-26 21:04:50 -05:00
Martin Weinelt a813be071c
nixos/polkit: don't enable by default
SUID wrappers really shouldn't be enabled by default, unless a consumer
relies on them. So in my opinion this falls upon the desktop
environments if needed or a user to explicltly enable this if wanted.

Most desktop environments and services like CUPS already enable polkit
by default, that should really be sufficient.
2022-01-27 01:45:44 +01:00
github-actions[bot] 9b5359861c
Merge master into staging-next 2022-01-12 12:01:06 +00:00
pennae b458e5133f
Merge pull request #146937 from amarshall/pam-apparmor-fix
nixos/pam: Fix apparmor syntax error
2022-01-12 06:31:35 +00:00
github-actions[bot] e8dc263ca3
Merge staging-next into staging 2022-01-11 18:01:57 +00:00
Vladimír Čunát c3805ba16c
Merge #153104: linux-pam: don't create dangling symlink during build
... into staging
2022-01-09 10:26:43 +01:00
Winter b52607f43b nixos/acme: ensure web servers using certs can access them 2022-01-08 15:05:34 -05:00
Andrew Marshall f62c11fcc3 nixos/pam: Fix apparmor syntax error
When running e.g. `aa-genprof` get error:

> ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/abstractions/pam line 26:
>     r /nix/store/XXXXX.pam,mr /nix/store/XXXXX-linux-pam-1.5.1/lib/security/pam_filter/*,

So add an explicit newline as concatMapStringsSep only adds them
between.
2022-01-02 22:51:26 -05:00
Winter 0715ef5968 linux-pam: don't create dangling symlink during build 2022-01-01 15:39:55 -05:00
Michele Guerini Rocco 59bfda7248
Merge pull request #152594 from ju1m/apparmor
security/wrappers: remove C compiler from the nixos/security.wrappers…
2021-12-31 15:09:52 +01:00
Julien Moutinho 0e5611e0be security/wrappers: remove C compiler from the nixos/security.wrappers AppArmor profile 2021-12-29 16:26:57 +01:00
Lucas Savva 65f1b8c6ae
nixos/acme: Add test for lego's built-in web server
In the process I also found that the CapabilityBoundingSet
was restricting the service from listening on port 80, and
the AmbientCapabilities was ineffective. Fixed appropriately.
2021-12-26 16:49:59 +00:00
Silvan Mosberger 2dcc3daadf
nixos/acme: Clean up default handling 2021-12-26 16:49:58 +00:00
Lucas Savva 41fb8d71ab
nixos/acme: Add useRoot option 2021-12-26 16:49:57 +00:00
Lucas Savva 8d01b0862d
nixos/acme: Update documentation
- Added defaultText for all inheritable options.
- Add docs on using new defaults option to configure
  DNS validation for all domains.
- Update DNS docs to show using a service to configure
  rfc2136 instead of manual steps.
2021-12-26 16:49:55 +00:00
Lucas Savva 377c6bcefc
nixos/acme: Add defaults and inheritDefaults option
Allows configuring many default settings for certificates,
all of which can still be overridden on a per-cert basis.
Some options have been moved into .defaults from security.acme,
namely email, server, validMinDays and renewInterval. These
changes will not break existing configurations thanks to
mkChangedOptionModule.

With this, it is also now possible to configure DNS-01 with
web servers whose virtualHosts utilise enableACME. The only
requirement is you set `acmeRoot = null` for each vhost.

The test suite has been revamped to cover these additions
and also to generally make it easier to maintain. Test config
for apache and nginx has been fully standardised, and it
is now much easier to add a new web server if it follows
the same configuration patterns as those two. I have also
optimised the use of switch-to-configuration which should
speed up testing.
2021-12-26 16:44:10 +00:00
Lucas Savva a7f0001328
nixos/acme: Check for revoked certificates
Closes #129838

It is possible for the CA to revoke a cert that has not yet
expired. We must run lego to validate this before expiration,
but we must still ignore failures on unexpired certs to retain
compatibility with #85794

Also changed domainHash logic such that a renewal will only
be attempted at all if domains are unchanged, and do a full
run otherwises. Resolves #147540 but will be partially
reverted when go-acme/lego#1532 is resolved + available.
2021-12-26 16:44:09 +00:00
Lucas Savva 87403a0b07
nixos/acme: Add a human readable error on run failure
Closes NixOS/nixpkgs#108237

When a user first adds an ACME cert to their configuration,
it's likely to fail to renew due to DNS misconfig. This is
non-fatal for other services since selfsigned certs are
(usually) put in place to let dependant services start.
Tell the user about this in the logs, and exit 2 for
differentiation purposes.
2021-12-26 16:44:08 +00:00
Lucas Savva a88d846b91
nixos/acme: Remove selfsignedDeps from finished targets
selfsignedDeps is already appended to the after and wants
of a cert's renewal service, making these redundant.

You can see this if you run the following command:
systemctl list-dependencies --all --reverse acme-selfsigned-mydomain.com.service
2021-12-26 16:44:07 +00:00
Graham Christensen 06edb74413
Merge pull request #148785 from pennae/more-option-doc-staticizing
treewide: more defaultText for options
2021-12-17 11:14:08 -05:00
Martin Weinelt e675946ecd
Merge pull request #125256 from deviant/acme-standalone 2021-12-11 22:06:48 +01:00
Janne Heß 7b5fb05a0d
nixos/pam: Type all limit options 2021-12-09 12:48:02 +01:00
pennae e24a8775a8 treewide: set defaultText for options using simple path defaults
adds defaultText for all options that set their default to a path expression
using the ubiquitous `cfg` shortcut bindings.
2021-12-09 01:12:13 +01:00
ajs124 eee45bb295
Merge pull request #146815 from ElvishJerricco/systemd-utils-expressions
Move systemd-lib.nix and systemd-unit-options.nix into utils
2021-12-08 15:07:28 +00:00
Janne Heß e37aab2130
nixos/acme: Allow disabling bash tracing
This is horrible if you want to debug failures that happened during
system switches but your 30-ish acme clients spam the log with the same
messages over and over again.
2021-12-07 14:17:56 +01:00
pennae 2512455639 nixos/*: add trivial defaultText for options with simple defaults 2021-12-02 22:35:04 +01:00
Roman Frołow de6181dc51
nixos/acme: fix typo in docs 2021-11-30 21:31:50 +08:00
Lucas Savva be952aba1c nixos/acme: Fix rate limiting of selfsigned services
Closes NixOS/nixpkgs#147348

I was able to reproduce this intermittently in the
test suite during the tests for HTTPd. Adding
StartLimitIntervalSec=0 to disable rate limiting
for these services works fine. I added it anywhere
there was a ConditionPathExists.
2021-11-29 11:15:31 +01:00
Victor Engmark dcb941f3ed security/pam: Document test location 2021-11-27 20:36:50 +02:00
Poscat 942f57e79b nixos/acme: add an option for reloading systemd services after renewal 2021-11-24 13:50:20 -08:00
Will Fancher 851495a752 Move systemd-lib.nix and systemd-unit-options.nix into utils 2021-11-20 17:52:29 -05:00
Victor Engmark ef58bbf9b7 nixos/pam: avoid extra lines in pam files 2021-11-16 19:26:43 +13:00
github-actions[bot] 707b006bf7
Merge master into staging-next 2021-11-09 00:01:30 +00:00
sternenseemann d14ae62671 nixos/terminfo: inherit TERMINFO* env vars also for doas
This should mirror the behavior we implement for sudo: The TERMINFO and
TERMINFO_DIRS variables are inherited from the normal user's
environment, so terminfo files installed in the user's profile can be
found by ncurses applications running as root.
2021-11-08 14:05:24 -08:00
github-actions[bot] eeb7e66e97
Merge master into staging-next 2021-11-06 18:01:01 +00:00
Nico Berlee 90bac670c0 nixos/pam: pam_mkhomedir umask to 0077
pam_mkhomedir should create homedirs with the same umask as the rest
of the system. Currently it creates homedirs with go+rx which makes
it readable for other non-privileged users.
2021-11-06 17:45:00 +02:00
github-actions[bot] 9e0658fa12
Merge staging-next into staging 2021-10-27 06:01:57 +00:00
github-actions[bot] 160c71e060
Merge master into staging-next 2021-10-27 06:01:21 +00:00
Peter Hoeg 22a500a3f8 pam_mount: do not re-prompt for password
nixos-rebuild test causes pam_mount to prompt for a password when running with
an encrypted home:

building '/nix/store/p6bflh7n5zy2dql8l45mix9qnzq65hbk-nixos-system-mildred-18.09.git.98592c5da79M.drv'...
activating the configuration...
setting up /etc...
reenter password for pam_mount:
(mount.c:68): Messages from underlying mount program:
(mount.c:72): crypt_activate_by_passphrase: File exists
(pam_mount.c:522): mount of /dev/mapper/vg0-lv_home_peter failed
kbuildsycoca5 running...

This change makes pam_mount not prompt. It still tries to remount (and fails in
the process) but that message can be ignored.

Fixes: #44586
2021-10-27 08:53:15 +08:00
github-actions[bot] 47ad670e14
Merge staging-next into staging 2021-10-26 00:02:18 +00:00
Martin Weinelt a47e0a6554 Merge remote-tracking branch 'origin/master' into staging-next 2021-10-25 21:03:48 +02:00
Martin Weinelt 1c20719373
Merge pull request #139311 from NinjaTrappeur/nin-acme-fix-webroot 2021-10-25 20:27:29 +02:00
Maciej Krüger b33ac6e5c0
Merge pull request #137646 from mkg20001/pam-audit 2021-10-19 15:28:51 +02:00
Luke Granger-Brown 1b74469cd0 nixos/ca: use cacert package build for options and p11-kit output
The cacert package can now generate p11-kit-compatible output itself,
as well as generating the correct set of outputs for fully-joined
and unbundled "traditional" outputs (in standard PEM and
OpenSSL-compatible formats).
2021-10-08 01:21:57 +00:00
Naïm Favier 2ddc335e6f
nixos/doc: clean up defaults and examples 2021-10-04 12:47:20 +02:00
Félix Baylac-Jacqué 73846b372f
nixos/acme: add webroots to ReadWritePaths
Since 7a10478ea7, all /var except
/var/lib/acme gets mounted in a read-only fashion. This behavior
breaks the existing acme deployments having a webroot set outside of
/var/lib/acme.

Collecting the webroots and adding them to the paths read/write
mounted to the systemd service runtime tree.

Fixes #139310
2021-10-04 10:08:35 +02:00
Maciej Krüger f3d00b3a94
nixos/pam: add pam_tty_audit option 2021-10-03 20:47:44 +02:00
Michele Guerini Rocco 2fcef20cb1
Merge pull request #138600 from austinbutler/tpm2-tss-group
nixos/tpm2: define group, fix after #133166
2021-09-20 18:34:39 +02:00
Austin Butler 8b6fa3c821 nixos/tpm2: define group, fix after NixOS#133166 2021-09-19 12:40:54 -07:00
rnhmjoj 1bd7260adb
nixos/lock-kernel-modules: reorder before/after
Moving the service before multi-user.target (so the `hardened` test
continue to work the way it did before) can result in locking the kernel
too early. It's better to lock it a bit later and changing the test to
wait specifically for the disable-kernel-module-loading.service.
2021-09-19 12:06:00 +02:00
Guillaume Girol ceb2e6667b
Merge pull request #126289 from rnhmjoj/wrappers
nixos/security/wrappers: make well-typed
2021-09-18 15:28:49 +00:00
rnhmjoj dc34788a25
nixos/lock-kernel-modules: use udevadm settle
Instead of relying on systemd-udev-settle, which is deprecated,
directly call `udevamd settle` to wait for hardware to settle.
2021-09-15 14:36:50 +02:00
rnhmjoj 65e83b0e23
nixos: fix nobody/nogroup in security.wrappers 2021-09-13 13:48:13 +02:00
rnhmjoj fedd7cd690
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you
to think about what the wrapper ownership and permissions will be.
2021-09-13 13:48:13 +02:00
rnhmjoj 8f76a6eefc
nixos: add implict security.wrappers options
This is to keep the same permissions/setuid/setgid as before the change
in security.wrappers defaults.
2021-09-13 13:48:13 +02:00
rnhmjoj 27dcb04cde
nixos/security/wrappers: remove WRAPPER_PATH
This appears to be a leftover from 628e6a83.
2021-09-13 13:48:13 +02:00
rnhmjoj 936e8eaf41
nixos/security/wrappers: fix shell quoting 2021-09-13 13:48:12 +02:00
rnhmjoj 7d8b303e3f
nixos/security/wrappers: check that sources exist
Add a shell script that checks if the paths of all wrapped programs
actually exist to catch mistakes. This only checks for Nix store paths,
which are always expected to exist at build time.
2021-09-13 10:38:04 +02:00
rnhmjoj 22004f7e8f
nixos/security/wrappers: use fixed defaults
To keep backward compatibility and have a typing would require making
all options null by default, adding a defaultText containing the actual
value, write the default value logic based on `!= null` and replacing
the nulls laters. This pretty much defeats the point of having used
a submodule type.
2021-09-12 21:43:25 +02:00
rnhmjoj 904f68fb0f
nixos/security/wrappers: make well-typed
The security.wrappers option is morally a set of submodules but it's
actually (un)typed as a generic attribute set. This is bad for several
reasons:

1. Some of the "submodule" option are not document;
2. the default values are not documented and are chosen based on
   somewhat bizarre rules (issue #23217);
3. It's not possible to override an existing wrapper due to the
   dumb types.attrs.merge strategy;
4. It's easy to make mistakes that will go unnoticed, which is
   really bad given the sensitivity of this module (issue #47839).

This makes the option a proper set of submodule and add strict types and
descriptions to every sub-option. Considering it's not yet clear if the
way the default values are picked is intended, this reproduces the current
behavior, but it's now documented explicitly.
2021-09-12 21:43:03 +02:00
Guillaume Girol bc3bca822a nixos: define the primary group of users where needed 2021-09-12 14:59:30 +02:00
Zhaofeng Li 59af7f0a2b apparmor: Fix cups-client typo 2021-08-23 00:50:15 -07:00
Jörg Thalheim 9b962429be
Merge pull request #133014 from Mic92/fix-pam
nixos: reduce pam files rebuilds on updates
2021-08-20 23:23:42 +01:00
Jörg Thalheim 1645acf1d3 nixos: reduce pam files rebuilds on updates
Before whenever environment variables changed, pam files had to be
rebuild.

This is expensive since each file needs its own sandbox set up.
2021-08-20 23:43:30 +02:00
Malte Tammena 891e537592 Fix security.pam.yubico.challengeResponsePath type
The config is optional and may be left `null`.
2021-08-17 16:55:50 +02:00
Guillaume Girol f626a23cd3
Merge pull request #130522 from Mic92/polkit
nixos/polkit: put polkituser into polkituser group
2021-08-08 15:09:15 +00:00
Martin Weinelt f49b03c40b
Merge pull request #123258 from mweinelt/acme-hardening 2021-08-08 15:50:24 +02:00
Jörg Thalheim b5f5a5e341 nixos/polkit: put polkituser into polkitgroup 2021-07-18 08:58:30 +02:00
mlatus 43ca464e37 nixos/pam: allow users to set the path to store challenge and expected responsed used by yubico_pam 2021-07-17 15:05:31 +08:00
Martin Weinelt 7a10478ea7
nixos/acme: harden systemd units 2021-07-06 15:16:01 +02:00
Martin Weinelt dc940ecdb3
Merge pull request #121750 from m1cr0man/master
nixos/acme: Ensure certs are always protected
2021-07-06 15:10:54 +02:00
Jörg Thalheim e12188c0f2
nixos/systemd-confinment: use /var/empty as chroot mountpoint
bind mounting directories into the nix-store breaks nix commands.
In particular it introduces character devices that are not supported
by nix-store as valid files in the nix store. Use `/var/empty` instead
which is designated for these kind of use cases. We won't create any
files beause of the tmpfs mounted.
2021-07-01 08:01:18 +02:00
Jörg Thalheim 1e125a8002
Merge pull request #122674 from wakira/pam-order
nixos/pam: prioritize safer auth methods over fingerprints
2021-06-26 16:52:25 +02:00
Jenny 7bf7d9f8a7
nixos/pam_mount: add support for FUSE-filesystems (#126069) 2021-06-08 22:06:28 +02:00
Niklas Hambüchen fdca90d07f
docs: acme: Fix typo 2021-06-06 14:27:13 +02:00
V 6fc18eb419 nixos/acme: Allow using lego's built-in web server
Currently, we hardcode the use of --http.webroot, even if no webroot is
configured. This has the effect of disabling the built-in server.

Co-authored-by: Chris Forno <jekor@jekor.com>
2021-06-05 06:00:45 +02:00
Sandro 44327ab7dc
Merge pull request #124991 from ju1m/apparmor 2021-06-01 15:26:30 +02:00