3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

229 commits

Author SHA1 Message Date
Julien Moutinho 74f9321966 nixos/tor: fix client.dns.automapHostsSuffixes renaming 2021-01-05 22:34:01 +01:00
Julien Moutinho 0ccdd6f2b0 nixos/tor: improve type-checking and hardening
Fixes #77395.
Fixes #82790.
2021-01-04 01:02:26 +01:00
Alyssa Ross e17d4b05a1 nixos/tor: don't do privoxy stuff by default
It's very surprising that services.tor.client.enable would set
services.privoxy.enable.  This violates the principle of least
astonishment, because it's Privoxy that can integrate with Tor, rather
than the other way around.

So this patch moves the Privoxy Tor integration to the Privoxy module,
and it also disables it by default.  This change is documented in the
release notes.

Reported-by: V <v@anomalous.eu>
2020-12-16 12:20:03 +00:00
Peter Hoeg aa995fb0b7 nixos/sshguard: do not do IPv6 setup/teardown unconditionally 2020-12-11 16:19:45 +08:00
zowoq dbbd289982 nixos/*: fix indentation 2020-11-23 08:42:51 +10:00
lf- b37bbca521 nixos/modules: fix systemd start rate-limits
These were broken since 2016:
f0367da7d1
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.

NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.

I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(ad16158c10/src/basic/ratelimit.c (L16))
2020-10-31 01:35:56 -07:00
Malte Brandy cebf9198f3
treewide: De-inline uses of lib.boolToString
This commit should not change eval results
2020-10-14 01:46:17 +02:00
WilliButz 76362dd7eb
nixos/bitwarden_rs: add environmentFile option
Add the option `environmentFile` to allow passing secrets to the service
without adding them to the Nix store, while keeping the current
configuration via the existing environment file intact.
2020-09-07 17:39:53 +02:00
WORLDofPEACE 18348c7829
Merge pull request #96042 from rnhmjoj/loaOf
treewide: completely remove types.loaOf
2020-09-02 08:45:37 -04:00
rnhmjoj 20d491a317
treewide: completely remove types.loaOf 2020-09-02 00:42:50 +02:00
Silvan Mosberger 6716867eb3
Merge pull request #96686 from nixy/add/tor-package-option
tor: Add option to tor service for package
2020-08-30 23:02:37 +02:00
Andrew R. M 168a9c8d38 Add option to tor service for package 2020-08-30 14:35:36 -04:00
Lassulus c265ca02ca
Merge pull request #85963 from seqizz/g_physlock_message
physlock: add optional lock message
2020-08-27 10:18:34 +02:00
Florian Klink 962e15aebc nixos: remove StandardOutput=syslog, StandardError=syslog lines
Since systemd 243, docs were already steering users towards using
`journal`:

eedaf7f322

systemd 246 will go one step further, it shows warnings for these units
during bootup, and will [automatically convert these occurences to
`journal`](f3dc6af20f):

> [    6.955976] systemd[1]: /nix/store/hwyfgbwg804vmr92fxc1vkmqfq2k9s17-unit-display-manager.service/display-manager.service:27: Standard output type syslog is obsolete, automatically updating to journal. Please update│······················
 your unit file, and consider removing the setting altogether.

So there's no point of keeping `syslog` here, and it's probably a better
idea to just not set it, due to:

> This setting defaults to the value set with DefaultStandardOutput= in
> systemd-system.conf(5), which defaults to journal.
2020-08-13 18:49:15 +02:00
Philipp Bartsch ffd18cc1b1 nixos/usbguard: rework
Use StateDirectory to create necessary directories and hardcode some
paths. Also drop file based audit logs, they can be found in the
journal. And add module option deprecation messages.
2020-08-08 23:26:07 +02:00
Jörg Thalheim ba930d8679
nixos/modules: remove trailing whitespace
This leads to ci failure otherwise if the file gets changed.
git-blame can ignore whitespace changes.
2020-08-07 14:45:39 +01:00
Florian Klink ebfae82674 nixos/yubikey-agent: add missing mkIf
This accidentially added pkgs.yubikey-agent to
environment.systemPackages unconditionally.
2020-07-26 09:34:24 +02:00
Florian Klink 8f7a623af6
Merge pull request #92936 from philandstuff/add-yubikey-agent
yubikey-agent: init at 0.1.3
2020-07-23 17:52:30 +02:00
Nikola Knežević 53f42f245a
oauth2_proxy: 5.1.1 -> 6.0.0 (#93121)
The new release fixes one of the outstanding CVEs against oauth2_proxy:
https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv.

In addition, rename the owner and the project name to reflect the
changes upstream (it now belongs to the oauth2-proxy organization, and
the name is oauth2-proxy)
2020-07-19 22:08:33 -07:00
Philip Potter e4029c34fc yubikey-agent: init at 0.1.3
This adds yubikey-agent as a package and a nixos module.

On macOS, we use `wrapProgram` to set pinentry_mac as default in PATH;
on Linux we rely on the user to set their preferred pinentry in PATH.
In particular, we use a systemd override to prefix PATH to select a
chosen pinentry program if specified.

On Linux, we need libnotify to provide the notify-send utility for
desktop notifications (such as "Waiting for Yubikey touch...").

This might work on other flavors of unix, but I haven't tested.

We reuse the programs.gnupg.agent.pinentryFlavor option for
yubikey-agent, but in doing so I hit a problem: pinentryFlavour's
default value is specified in a mkDefault, but only conditionally.  We
ought to be able to pick up the pinentryFlavour whether or not gpg-agent
is running.  As a result, this commit moves the default value to the
definition of programs.gnupg.agent.enable.
2020-07-16 15:29:33 +01:00
Benjamin Hipple 152a29fef8
Merge pull request #77557 from c0deaddict/feature/nginx-sso-package-option
nixos/nginx.sso: add package option
2020-07-05 21:24:22 -04:00
Samuel Gräfenstein 5bb0b72720
nixos/*: wheter -> whether 2020-07-04 15:20:41 +02:00
Silvan Mosberger f03e85f703
Merge pull request #74589 from tmplt/fix-physlock
nixos/physlock: add suspend-then-hibernate to lockOn.suspend units
2020-06-17 18:06:52 +02:00
tmplt 51e995cc05 nixos/physlock: add suspend-then-hibernate to suspend/hibernate units 2020-06-16 23:42:56 +02:00
Jan Tojnar 0af23b05ab
Merge pull request #75435 from Elyhaka/fprintd 2020-05-25 12:22:48 +02:00
Philipp Bartsch 2827491c23 nixos/usbguard: update systemd sandboxing features
Apply upstream systemd service configuration options to improve
sandboxing.
2020-05-24 10:36:07 +02:00
Elyhaka 131a28e9f2
fprintd: 0.9.0 -> 1.90.1 2020-05-19 14:03:31 +02:00
Linus Heckemann db010c5537
Merge pull request #85687 from mayflower/privacyidea
Init privacyIDEA packages and modules
2020-05-13 09:08:57 +02:00
Robin Gloster f1f0e82c50
privacyidea: address reviews 2020-05-09 12:11:44 +02:00
zowoq c59c4e3589 nixos/*: use $out instead of $bin with buildGoPackage 2020-04-28 20:30:29 +10:00
Gürkan Gür e140dc9e4c physlock: add optional lock message 2020-04-24 23:26:57 +02:00
Bas van Dijk 784aa2913a
Merge pull request #79840 from knl/update-oauth2_proxy-to-5.0.0
oauth2_proxy: 3.2.0 -> 5.1.0
2020-04-22 12:15:07 +02:00
Robin Gloster 134c66b584
privacyidea module: init 2020-04-21 16:54:51 +02:00
Dominik Xaver Hörl 0412bde942 treewide: add bool type to enable options, or make use of mkEnableOption
Add missing type information to manually specified enable options or replace them by mkEnableOption where appropriate.
2020-04-21 08:55:36 +02:00
Nikola Knezevic 3c551848be oauth2_proxy: Update NixOS module
Update to match the current flags and apply fixes to all breaking changes.
2020-04-20 10:11:46 +02:00
Pavol Rusnak fadcfc3ea4
treewide: per RFC45, remove more unquoted URLs 2020-04-18 14:04:37 +02:00
Simon Lackerbauer 017dca51fa
fail2ban: fix firewall warning 2020-03-22 18:11:36 +01:00
Izorkin c75398b10a nixos/fail2ban: disable work fail2ban without firewall 2020-03-18 09:54:19 +03:00
Jörg Thalheim c23f10da6a
fail2ban: 0.10.5 -> 0.11.1 (#67931)
fail2ban: 0.10.5 -> 0.11.1
2020-01-31 08:58:58 +00:00
Izorkin 96e2669114 nixos/fail2ban: enable sandboxing 2020-01-29 23:15:56 +03:00
Izorkin f1d7dfe29f nixos/fail2ban: add custom options 2020-01-29 23:15:56 +03:00
Izorkin a55be8d794 nixos/fail2ban: update serviceConfig 2020-01-29 23:15:56 +03:00
Izorkin 182012ef43 nixos/fail2ban: add options to enable work service with iptables-compat 2020-01-29 23:15:56 +03:00
Izorkin 68d601d65c nixos/fail2ban: clean-up configuration 2020-01-29 23:15:56 +03:00
Matthijs Steen 44dff89215 bitwarden_rs: 1.9.1 -> 1.13.1 2020-01-28 17:26:49 +01:00
Andreas Brenk 36da345caa nixos/sshguard: use nftables backend if enabled
The current module assumes use of iptables and breaks if nftables is
used instead.

This change configures the correct backend based on the
config.networking.nftables.enable setting.
2020-01-27 14:42:28 +01:00
Yorick van Pelt 15e98e7428
nixos/vault: add ExecReload entry 2020-01-24 18:59:13 +01:00
Jos van Bakel 6f3b04eb71
nixos/nginx.sso: add package option 2020-01-12 14:35:23 +01:00
Robert Hensing 9884cb3ed0
Merge pull request #76861 from Infinisil/paths-as-submodules
lib/types: Allow paths as submodule values
2020-01-12 14:19:04 +01:00
markuskowa 59670b0c56
Merge pull request #76939 from lourkeur/fix_76184_tsocks
nixos/tsocks: Add types to the options
2020-01-09 21:33:18 +01:00