3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

2596 commits

Author SHA1 Message Date
pennae 831024e2b9 nixos/dhcpcd: assert if privSep && alternative malloc
dhcpcd does not run properly with some of the hardened system mallocs
that are currently available. assert when an incompatible configuration
is detected, as a switch into such a config from eg auto-update can take
hosts offline.
2022-01-03 22:32:13 +01:00
Franz Pletz d5b0e12d9b
Merge pull request #147516 from pennae/dhcpcd
dhcpcd: 8.1.4 -> 9.4.1, module updates, enable privsep
2021-12-20 14:44:58 +01:00
pennae 971adf24eb nixos/dhcpcd: set RuntimeDirectory 2021-12-20 10:53:13 +01:00
Zhaofeng Li a4bcad541e unifi5: Follow new mitigation guidelines
Simply disabling lookups isn't enough, and the JndiLookup class must be
removed:

https://web.archive.org/web/20211217085954/https://logging.apache.org/log4j/2.x/security.html
2021-12-17 15:55:13 -08:00
pennae 64bbe28843 nixos/unifi: rename openPorts to openFirewall
openFirewall is the much more common name for an option with this
effect. since the default was `true` all along, renaming it doesn't hurt
much and only improves consistency with other modules.
2021-12-17 21:30:52 +01:00
pennae 2000a1edcd nixos/unifi: add deprecation warning for openPorts
modules are discouraged from opening ports in the firewall unless
explicitly told to do so. add a deprecation notice for this in unifi.
2021-12-17 21:30:52 +01:00
Franz Pletz 0cb8669638
dhcpcd: use dhcpcd as privsep user 2021-12-17 19:23:00 +01:00
Graham Christensen 06edb74413
Merge pull request #148785 from pennae/more-option-doc-staticizing
treewide: more defaultText for options
2021-12-17 11:14:08 -05:00
Martin Weinelt 37527494b6
Merge pull request #150329 from zhaofengli/unifi-6.5.54 2021-12-12 14:10:10 +01:00
Zhaofeng Li e992604bf0 nixos/unifi: Apply log4j2 mitigation 2021-12-12 01:48:58 -08:00
Pascal Bach 51e80b4ded
Merge pull request #149723 from pingiun/patch-5
eternal-terminal: remove syslog.target from service
2021-12-11 22:45:22 +01:00
Pascal Bach 98a81a3152
Merge pull request #149733 from lunik1/adguard-syslog
nixos/adguardhome: remove syslog.target from service
2021-12-11 22:45:08 +01:00
Ryan Mulligan c84ba61d73
Merge pull request #149860 from 1000teslas/xrdp-conf
nixos/xrdp: add confDir option
2021-12-11 10:45:53 -08:00
Lara c2b79874a7
nixos/jitsi-videobridge: Mitigate CVE-2021-44228 (#150021)
This commit mitigates a remote code execution vulnerability in the log4j
library.
2021-12-10 11:16:20 +01:00
Kevin Tran 1906561f8d
Update nixos/modules/services/networking/xrdp.nix
Co-authored-by: Ryan Mulligan <ryan@ryantm.com>
2021-12-10 09:08:45 +11:00
1000teslas 9c478c1995 nixos/xrdp: add confDir option 2021-12-10 00:56:21 +11:00
pennae e67a646a92 treewide: add defaultText to remaining options
these are mostly options that use alias bindings, bindings to constants,
or bindings to calculated values.
2021-12-09 01:42:24 +01:00
pennae 2d564521c0 treewide: add literalDocBook text to options with complex defaults
some options have default that are best described in prose, such as
defaults that depend on the system stateVersion, defaults that are
derivations specific to the surrounding context, or those where the
expression is much longer and harder to understand than a simple text
snippet.
2021-12-09 01:38:24 +01:00
pennae b9950385e5 treewide: make option examples constant
escape interpolations in examples, or replace them where they are not
useful.
2021-12-09 01:38:24 +01:00
pennae e72435e612 treewide: make option descriptions constants
escape interpolations in descriptions where possible, replace them with
sufficiently descriptive text elsewhere. also expand cfg.* paths in
descriptions.
2021-12-09 01:21:04 +01:00
pennae ed673a69db treewide: add defaultText for options with simple cfg.* expression defaults
adds defaultText for options with defaults that use only literals, full config.*
paths, and the cfg shortcut binding.
2021-12-09 01:14:16 +01:00
pennae e24a8775a8 treewide: set defaultText for options using simple path defaults
adds defaultText for all options that set their default to a path expression
using the ubiquitous `cfg` shortcut bindings.
2021-12-09 01:12:13 +01:00
lunik1 1f0bbdb6fc
nixos/adguardhome: remove syslog.target from service 2021-12-08 22:18:25 +00:00
Jelle Besseling f226901f7f
eternal-terminal: remove syslog.target from service 2021-12-08 22:48:20 +01:00
Bjørn Forsman 8eb814e964 Revert "nixos/ddclient: fix permission for ddclient.conf (#148179)"
This reverts commit 6af3d13bec.

Reported by @arcnmx
(https://github.com/NixOS/nixpkgs/pull/148179#issuecomment-987197656):

  Does this not completely break the service? It doesn't change the
  owner to the same as the ddclient server (which is somewhat difficult
  due to it being a DynamicUser), so this now makes the service
  completely unusable because the config is only readable by its owner,
  root:

    ddclient[871397]: WARNING:  file /run/ddclient/ddclient.conf: Cannot open file '/run/ddclient/ddclient.conf'. (Permission denied)

  Given that the RuntimeDirectory was only readable by the ddclient
  service, the warning this PR fixes was spurious and not indicative of
  an actual information leak. I'm not sure of what a quick fix would be
  due to DynamicUser, but would at least request a revert of this so the
  service can work again?
2021-12-07 19:44:20 +01:00
Janne Heß fd6a2f3279
Merge pull request #149280 from netixx/fix-freeradius
freeradius: fix radius user
2021-12-07 19:35:38 +01:00
Finn Behrens 673ad7eb36
nixos/pleroma: create cookie if not existing (#149368) 2021-12-07 17:32:55 +01:00
Netix (Espinet François) 9d7ce57da5 freeradius: fix radius user
We now must choose either system or normal user when creating a user
2021-12-07 08:51:57 +01:00
Robert Hensing 862d167f17
Merge pull request #147441 from pennae/option-doc-staticizing
nixos/*: add trivial defaultText to options where applicable
2021-12-06 01:35:38 +01:00
Martin Weinelt d94cec6ead
Merge pull request #148543 from mweinelt/knot-hardening 2021-12-05 02:44:28 +01:00
Sean Heath 6af3d13bec
nixos/ddclient: fix permission for ddclient.conf (#148179) 2021-12-05 02:07:42 +01:00
Martin Weinelt 67f102d8d8
nixos/knot: update systemd hardening 2021-12-04 16:53:31 +01:00
Felix Schröter d6a4500f88 nixos/ddclient: support all special characters in password 2021-12-04 16:28:31 +01:00
Niklas Hambüchen 6c9f46d063
Merge pull request #148389 from GTrunSec/consul
nixos/consul: update deprecated setting
2021-12-03 21:53:10 +01:00
Jörg Thalheim 99c916dd8e
Merge pull request #148201 from Artturin/nixservesecret
nix-serve: fix NIX_SECRET_KEY_FILE
2021-12-03 17:50:27 +00:00
GTrunSec 8e92c6c510
nixos/consul: update deprecated webUi 2021-12-03 09:46:24 -08:00
Maciej Krüger aac7065c8d
Merge pull request #148108 from mkg20001/lxdimageserver 2021-12-03 16:06:21 +01:00
kyren c23851c47e Fix shairport-sync module to create and set an explicit group 2021-12-03 03:16:03 -05:00
pennae 2512455639 nixos/*: add trivial defaultText for options with simple defaults 2021-12-02 22:35:04 +01:00
Aaron Andersen ac573f3975
Merge pull request #148049 from hexagonal-sun/shairport-firewall-rules
nixos/shairport-sync: add firewall rules
2021-12-02 15:21:28 -05:00
Matthew Leach ea90c516e7 nixos/shairport-sync: add firewall rules
Add an option to automatically open the firewall for shairport.
2021-12-02 19:24:50 +00:00
Artturin 2fb77151e8 nix-serve: fix NIX_SECRET_KEY_FILE 2021-12-02 17:45:50 +02:00
Maciej Krüger 7a89ee6171
nixos/lxd-image-server: fix logrotate 2021-12-01 08:39:36 +01:00
Martin Weinelt 1f726635ee nixos/charybdis: implement reload functionality
IRC daemons are highly stateful daemons, so allow config changes without
kicking all server and client connections.

Basically a port of 60c62214f5.
2021-11-30 23:33:34 +01:00
pennae 8072ee22f2 dhcpcd, nixos/dhcpcd: enable privsep
dhdpcd 9 support privilege separation with a dedicated user and seccomp
filtering. this has been enabled for a while in other distributions as
well.

if the dhcpcd module is not used and the _dhcpcd user/group isn't
definied otherwise dhcpcd will fall back to not using privsep.
2021-11-30 19:51:45 +01:00
pennae 5269674a6d dhcpcd: 8.1.4 -> 9.4.1
by @erictapen:

- Removed note about testing and moved it to passthru.tests
- Removed patch, as it is probably the same as
  56b2bb17d2ec67e1f93950944211f6cf8c40e0fb, wich landed in upstream.

other changes:

- changed PIDFile in the module, since dhcpcd 9 changed the location
2021-11-30 19:51:45 +01:00
rnhmjoj 97a3b2af1d
monero: rename to monero-cli
To make repology.org happy, use the -cli suffix.
2021-11-28 11:35:14 +01:00
Sandro 338bf1f1b2
Merge pull request #143995 from erictapen/systemd-workingdirectory 2021-11-22 16:25:54 +01:00
Aaron Andersen c9fde80d80
Merge pull request #146445 from GTrunSec/nomad
nixos/nomad: add flag of plugin-dir
2021-11-21 13:45:25 -05:00
Alex Martens 4639589f88 nixos/sabnzbd: add package option 2021-11-19 20:01:24 -08:00