pennae
831024e2b9
nixos/dhcpcd: assert if privSep && alternative malloc
...
dhcpcd does not run properly with some of the hardened system mallocs
that are currently available. assert when an incompatible configuration
is detected, as a switch into such a config from eg auto-update can take
hosts offline.
2022-01-03 22:32:13 +01:00
Franz Pletz
d5b0e12d9b
Merge pull request #147516 from pennae/dhcpcd
...
dhcpcd: 8.1.4 -> 9.4.1, module updates, enable privsep
2021-12-20 14:44:58 +01:00
pennae
971adf24eb
nixos/dhcpcd: set RuntimeDirectory
2021-12-20 10:53:13 +01:00
Zhaofeng Li
a4bcad541e
unifi5: Follow new mitigation guidelines
...
Simply disabling lookups isn't enough, and the JndiLookup class must be
removed:
https://web.archive.org/web/20211217085954/https://logging.apache.org/log4j/2.x/security.html
2021-12-17 15:55:13 -08:00
pennae
64bbe28843
nixos/unifi: rename openPorts to openFirewall
...
openFirewall is the much more common name for an option with this
effect. since the default was `true` all along, renaming it doesn't hurt
much and only improves consistency with other modules.
2021-12-17 21:30:52 +01:00
pennae
2000a1edcd
nixos/unifi: add deprecation warning for openPorts
...
modules are discouraged from opening ports in the firewall unless
explicitly told to do so. add a deprecation notice for this in unifi.
2021-12-17 21:30:52 +01:00
Franz Pletz
0cb8669638
dhcpcd: use dhcpcd as privsep user
2021-12-17 19:23:00 +01:00
Graham Christensen
06edb74413
Merge pull request #148785 from pennae/more-option-doc-staticizing
...
treewide: more defaultText for options
2021-12-17 11:14:08 -05:00
Martin Weinelt
37527494b6
Merge pull request #150329 from zhaofengli/unifi-6.5.54
2021-12-12 14:10:10 +01:00
Zhaofeng Li
e992604bf0
nixos/unifi: Apply log4j2 mitigation
2021-12-12 01:48:58 -08:00
Pascal Bach
51e80b4ded
Merge pull request #149723 from pingiun/patch-5
...
eternal-terminal: remove syslog.target from service
2021-12-11 22:45:22 +01:00
Pascal Bach
98a81a3152
Merge pull request #149733 from lunik1/adguard-syslog
...
nixos/adguardhome: remove syslog.target from service
2021-12-11 22:45:08 +01:00
Ryan Mulligan
c84ba61d73
Merge pull request #149860 from 1000teslas/xrdp-conf
...
nixos/xrdp: add confDir option
2021-12-11 10:45:53 -08:00
Lara
c2b79874a7
nixos/jitsi-videobridge: Mitigate CVE-2021-44228 ( #150021 )
...
This commit mitigates a remote code execution vulnerability in the log4j
library.
2021-12-10 11:16:20 +01:00
Kevin Tran
1906561f8d
Update nixos/modules/services/networking/xrdp.nix
...
Co-authored-by: Ryan Mulligan <ryan@ryantm.com>
2021-12-10 09:08:45 +11:00
1000teslas
9c478c1995
nixos/xrdp: add confDir option
2021-12-10 00:56:21 +11:00
pennae
e67a646a92
treewide: add defaultText to remaining options
...
these are mostly options that use alias bindings, bindings to constants,
or bindings to calculated values.
2021-12-09 01:42:24 +01:00
pennae
2d564521c0
treewide: add literalDocBook text to options with complex defaults
...
some options have default that are best described in prose, such as
defaults that depend on the system stateVersion, defaults that are
derivations specific to the surrounding context, or those where the
expression is much longer and harder to understand than a simple text
snippet.
2021-12-09 01:38:24 +01:00
pennae
b9950385e5
treewide: make option examples constant
...
escape interpolations in examples, or replace them where they are not
useful.
2021-12-09 01:38:24 +01:00
pennae
e72435e612
treewide: make option descriptions constants
...
escape interpolations in descriptions where possible, replace them with
sufficiently descriptive text elsewhere. also expand cfg.* paths in
descriptions.
2021-12-09 01:21:04 +01:00
pennae
ed673a69db
treewide: add defaultText for options with simple cfg.* expression defaults
...
adds defaultText for options with defaults that use only literals, full config.*
paths, and the cfg shortcut binding.
2021-12-09 01:14:16 +01:00
pennae
e24a8775a8
treewide: set defaultText for options using simple path defaults
...
adds defaultText for all options that set their default to a path expression
using the ubiquitous `cfg` shortcut bindings.
2021-12-09 01:12:13 +01:00
lunik1
1f0bbdb6fc
nixos/adguardhome: remove syslog.target from service
2021-12-08 22:18:25 +00:00
Jelle Besseling
f226901f7f
eternal-terminal: remove syslog.target from service
2021-12-08 22:48:20 +01:00
Bjørn Forsman
8eb814e964
Revert "nixos/ddclient: fix permission for ddclient.conf ( #148179 )"
...
This reverts commit 6af3d13bec
.
Reported by @arcnmx
(https://github.com/NixOS/nixpkgs/pull/148179#issuecomment-987197656 ):
Does this not completely break the service? It doesn't change the
owner to the same as the ddclient server (which is somewhat difficult
due to it being a DynamicUser), so this now makes the service
completely unusable because the config is only readable by its owner,
root:
ddclient[871397]: WARNING: file /run/ddclient/ddclient.conf: Cannot open file '/run/ddclient/ddclient.conf'. (Permission denied)
Given that the RuntimeDirectory was only readable by the ddclient
service, the warning this PR fixes was spurious and not indicative of
an actual information leak. I'm not sure of what a quick fix would be
due to DynamicUser, but would at least request a revert of this so the
service can work again?
2021-12-07 19:44:20 +01:00
Janne Heß
fd6a2f3279
Merge pull request #149280 from netixx/fix-freeradius
...
freeradius: fix radius user
2021-12-07 19:35:38 +01:00
Finn Behrens
673ad7eb36
nixos/pleroma: create cookie if not existing ( #149368 )
2021-12-07 17:32:55 +01:00
Netix (Espinet François)
9d7ce57da5
freeradius: fix radius user
...
We now must choose either system or normal user when creating a user
2021-12-07 08:51:57 +01:00
Robert Hensing
862d167f17
Merge pull request #147441 from pennae/option-doc-staticizing
...
nixos/*: add trivial defaultText to options where applicable
2021-12-06 01:35:38 +01:00
Martin Weinelt
d94cec6ead
Merge pull request #148543 from mweinelt/knot-hardening
2021-12-05 02:44:28 +01:00
Sean Heath
6af3d13bec
nixos/ddclient: fix permission for ddclient.conf ( #148179 )
2021-12-05 02:07:42 +01:00
Martin Weinelt
67f102d8d8
nixos/knot: update systemd hardening
2021-12-04 16:53:31 +01:00
Felix Schröter
d6a4500f88
nixos/ddclient: support all special characters in password
2021-12-04 16:28:31 +01:00
Niklas Hambüchen
6c9f46d063
Merge pull request #148389 from GTrunSec/consul
...
nixos/consul: update deprecated setting
2021-12-03 21:53:10 +01:00
Jörg Thalheim
99c916dd8e
Merge pull request #148201 from Artturin/nixservesecret
...
nix-serve: fix NIX_SECRET_KEY_FILE
2021-12-03 17:50:27 +00:00
GTrunSec
8e92c6c510
nixos/consul: update deprecated webUi
2021-12-03 09:46:24 -08:00
Maciej Krüger
aac7065c8d
Merge pull request #148108 from mkg20001/lxdimageserver
2021-12-03 16:06:21 +01:00
kyren
c23851c47e
Fix shairport-sync module to create and set an explicit group
2021-12-03 03:16:03 -05:00
pennae
2512455639
nixos/*: add trivial defaultText for options with simple defaults
2021-12-02 22:35:04 +01:00
Aaron Andersen
ac573f3975
Merge pull request #148049 from hexagonal-sun/shairport-firewall-rules
...
nixos/shairport-sync: add firewall rules
2021-12-02 15:21:28 -05:00
Matthew Leach
ea90c516e7
nixos/shairport-sync: add firewall rules
...
Add an option to automatically open the firewall for shairport.
2021-12-02 19:24:50 +00:00
Artturin
2fb77151e8
nix-serve: fix NIX_SECRET_KEY_FILE
2021-12-02 17:45:50 +02:00
Maciej Krüger
7a89ee6171
nixos/lxd-image-server: fix logrotate
2021-12-01 08:39:36 +01:00
Martin Weinelt
1f726635ee
nixos/charybdis: implement reload functionality
...
IRC daemons are highly stateful daemons, so allow config changes without
kicking all server and client connections.
Basically a port of 60c62214f5
.
2021-11-30 23:33:34 +01:00
pennae
8072ee22f2
dhcpcd, nixos/dhcpcd: enable privsep
...
dhdpcd 9 support privilege separation with a dedicated user and seccomp
filtering. this has been enabled for a while in other distributions as
well.
if the dhcpcd module is not used and the _dhcpcd user/group isn't
definied otherwise dhcpcd will fall back to not using privsep.
2021-11-30 19:51:45 +01:00
pennae
5269674a6d
dhcpcd: 8.1.4 -> 9.4.1
...
by @erictapen:
- Removed note about testing and moved it to passthru.tests
- Removed patch, as it is probably the same as
56b2bb17d2ec67e1f93950944211f6cf8c40e0fb, wich landed in upstream.
other changes:
- changed PIDFile in the module, since dhcpcd 9 changed the location
2021-11-30 19:51:45 +01:00
rnhmjoj
97a3b2af1d
monero: rename to monero-cli
...
To make repology.org happy, use the -cli suffix.
2021-11-28 11:35:14 +01:00
Sandro
338bf1f1b2
Merge pull request #143995 from erictapen/systemd-workingdirectory
2021-11-22 16:25:54 +01:00
Aaron Andersen
c9fde80d80
Merge pull request #146445 from GTrunSec/nomad
...
nixos/nomad: add flag of plugin-dir
2021-11-21 13:45:25 -05:00
Alex Martens
4639589f88
nixos/sabnzbd: add package option
2021-11-19 20:01:24 -08:00