3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

953 commits

Author SHA1 Message Date
Craig Younkins 8b12b17df3
treewide: Fix broken Gmane URLs 2018-12-25 22:34:55 -05:00
Florian Klink 3539f3875a release-notes/rl-1903: add security.googleOsLogin 2018-12-21 18:01:36 +01:00
Florian Klink d180bf3862 security.pam: make pam_unix.so required, not sufficient
Having pam_unix set to "sufficient" means early-succeeding account
management group, as soon as pam_unix.so is succeeding.

This is not sufficient. For example, nixos modules might install nss
modules for user lookup, so pam_unix.so succeeds, and we end the stack
successfully, even though other pam account modules might want to do
more extensive checks.

Other distros seem to set pam_unix.so to 'required', so if there are
other pam modules in that management group, they get a chance to do some
validation too.

For SSSD, @PsyanticY already added a workaround knob in
https://github.com/NixOS/nixpkgs/pull/31969, while stating this should
be the default anyway.

I did some thinking in what could break - after this commit, we require
pam_unix to succeed, means we require `getent passwd $username` to
return something.
This is the case for all local users due to the passwd nss module, and
also the case for all modules installing their nss module to
nsswitch.conf - true for ldap (if not explicitly disabled) and sssd.

I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss
module loaded? Should the pam account module be placed before pam_unix?

We don't drop the `security.pam.services.<name?>.sssdStrictAccess`
option, as it's also used some lines below to tweak error behaviour
inside the pam sssd module itself (by changing it's 'control' field).

This is also required to get admin login for Google OS Login working
(#51566), as their pam_oslogin_admin accounts module takes care of sudo
configuration.
2018-12-21 15:31:07 +01:00
Florian Klink 91c65721f7 owncloud: remove server
pkgs.owncloud still pointed to owncloud 7.0.15 (from May 13 2016)

Last owncloud server update in nixpkgs was in Jun 2016.
At the same time Nextcloud forked away from it, indicating users
switched over to that.

cc @matej (original maintainer)
2018-12-16 15:05:53 +01:00
Arian van Putten ef6ed03e2f nixos/nscd: Address doc feedback 2018-12-12 15:35:40 +01:00
Arian van Putten 335b41b3fb nixos/nscd: Add release note entry about nscd changes 2018-12-12 15:35:40 +01:00
Jörg Thalheim 91a7848fe2
nixos/release-notes: mention removal of quassel-webserver 2018-12-08 16:31:28 +00:00
Mario Rodas f1dd6faaaa
docs: Remove nix-repl references
nix-repl has been deprecated
2018-12-03 21:37:54 -05:00
markuskowa 506d4c7e44
Merge pull request #51329 from c0bw3b/cleanup/gnu-https
Favor HTTPS URLs - the GNU edition
2018-12-02 16:52:33 +01:00
c0bw3b 0498ccd076 Treewide: use HTTPS on GNU domains
HTTP -> HTTPS for :
- http://gnu.org/
- http://www.gnu.org/
- http://elpa.gnu.org/
- http://lists.gnu.org/
- http://gcc.gnu.org/
- http://ftp.gnu.org/ (except in fetchurl mirrors)
- http://bugs.gnu.org/
2018-12-02 15:51:59 +01:00
Tobias Happ 95cbb71abe nixos/nm-applet: add nm-applet program 2018-12-02 12:18:47 +01:00
Florian Klink 43762227f8
Merge pull request #49385 from krav/gitlab-shell-authorized-keys
gitlab-shell: 8.3.3->8.4.1, fix hardcoded paths
2018-11-29 21:18:08 +01:00
Florian Klink 3caeeabb14 gitlab: stop regenerating the authorized_keys file 2018-11-28 23:09:23 +01:00
Renaud 36994f8620
Merge pull request #51073 from erikarvstedt/docs
Minor doc fixes
2018-11-28 20:34:53 +01:00
Svein Ove Aas 24865963f0 modularity: Document the ability to use non-files in imports (#50503)
* modularity: Document the ability to use non-files in imports
* Update nixos/doc/manual/configuration/modularity.xml

Co-Authored-By: Baughn <svein@google.com>
2018-11-28 12:39:51 +01:00
Brandon Black dacbd5a61a nixos/ntp: use upstream default restrictions to avoid DDoS (#50762)
Fixes #50732
2018-11-28 10:15:25 +00:00
Erik Arvstedt 931b7b47a2 nixos tests doc: minor fixes
This fixes some quirks I introduced in previous commits.

1. No need for an extra newline when printing the output of shell commands.
2. 'or die' is what's already used in the NixOS test sources, while
   'die unless' has no occurrences.
2018-11-26 19:36:50 +01:00
Jörg Thalheim d3aeed389c
Merge pull request #50641 from blaxill/firewallMerge
nixos/firewall: Always use global firewall.allowed rules
2018-11-23 11:42:16 +00:00
Ben Blaxill 308ab4ea25 Rename back to default and better release notes 2018-11-22 19:24:23 -05:00
Ben Blaxill b48c6d051b Add release notes 2018-11-21 17:08:12 -05:00
Craig Younkins a629f967f7 Fix release notes XML para closing tag 2018-11-20 18:46:52 +00:00
Frederik Rietdijk 63c6875f26 Merge master into staging-next 2018-11-18 10:32:12 +01:00
zimbatm b56191746e
nixos: doc typo and ws 2018-11-16 22:44:55 +01:00
Jörg Thalheim 6f607b806d
Merge pull request #49821 from DIzFer/profiles-documentation
Docs: Add chapter on Profiles
2018-11-14 11:32:12 +00:00
Tobias Happ 4839403dd6 nixos/{lightdm,sddm,xpra}: remove enabling of logToFile 2018-11-13 21:52:37 +01:00
Robert Hensing dd3aca2d0b
Merge pull request #49256 from roberth/nixos-nixpkgs-pkgs-use-overlays
NixOS: use overlays when nixpkgs.pkgs is set
2018-11-13 09:55:24 +01:00
Frederik Rietdijk 7863aae5b2 Merge master into staging-next 2018-11-11 08:59:44 +01:00
Silvan Mosberger e468a1091b
Merge pull request #48687 from danielrutz/port-type
Add port type
2018-11-10 15:12:07 +01:00
Frederik Rietdijk 53d00c3351 Merge master into staging-next 2018-11-10 11:08:54 +01:00
Samuel Dionne-Riel 2f668e3248
Merge pull request #40043 from kierdavis/ckb-update-and-cleanup
ckb/ckb-next: 0.2.9 -> 0.3.2, and cleanup
2018-11-09 23:59:58 +00:00
rnhmjoj 21dfccd93d
nixos/manual: move syncthing notice in the right position 2018-11-07 08:32:03 +01:00
Jörg Thalheim bac872592c
Typo in clone-config
Co-Authored-By: DIzFer <david@izquierdofernandez.com>
2018-11-06 23:08:26 +01:00
David Izquierdo 6abe1e5981 Even more typos in hardened 2018-11-06 22:54:43 +01:00
Jan Tojnar 6be1696c80
Update nixos/doc/manual/configuration/profiles/demo.xml
Co-Authored-By: DIzFer <david@izquierdofernandez.com>
2018-11-06 22:51:33 +01:00
Jan Tojnar dbd1a5f216
Second typo in docker-container
Co-Authored-By: DIzFer <david@izquierdofernandez.com>
2018-11-06 22:50:25 +01:00
Jan Tojnar c7e3f19fc2
Fixed typo in docker-container
Co-Authored-By: DIzFer <david@izquierdofernandez.com>
2018-11-06 22:49:44 +01:00
Jörg Thalheim f488a072f9
Update nixos/doc/manual/configuration/profiles/clone-config.xml
Co-Authored-By: DIzFer <david@izquierdofernandez.com>
2018-11-06 22:48:05 +01:00
David Izquierdo b303688f46 Docs: init section QEMU Guest in chapter Profiles 2018-11-06 12:58:41 +01:00
David Izquierdo 62e64978d2 Docs: init section Minimal in chapter Profiles 2018-11-06 12:58:30 +01:00
David Izquierdo d2af8fb3d2 Docs: init section Installation Device in chapter Profiles 2018-11-06 12:58:14 +01:00
David Izquierdo 670ee54a28 Docs: init section Headless in chapter Profiles 2018-11-06 12:58:05 +01:00
David Izquierdo 614ea40443 Docs: init section Hardened in chapter Profiles 2018-11-06 12:57:50 +01:00
David Izquierdo b10d669919 Docs: init section Graphical in chapter Profiles 2018-11-06 12:57:37 +01:00
David Izquierdo 207bbdcb91 Docs: init section Docker Container in chapter Profiles 2018-11-06 12:57:25 +01:00
David Izquierdo 40f2cdb302 Docs: init section Demo in chapter Profiles 2018-11-06 12:56:48 +01:00
David Izquierdo e6445abe64 Docs: Stub for section Clone Config in chapter Profiles 2018-11-06 12:56:22 +01:00
David Izquierdo 4c02d4cb55 Docs: init section Base in chapter Profiles 2018-11-06 12:56:07 +01:00
David Izquierdo 57d9bc4ce2 Docs: init chapter Profiles with section All Hardware 2018-11-06 12:55:37 +01:00
Sarah Brofeldt 81de3e39b0
Merge pull request #49516 from johanot/kubedns-to-coredns
nixos/kubernetes: KubeDNS -> CoreDNS
2018-11-06 10:30:49 +01:00
Kier Davis 3b7984dd51
Merge branch 'master' into ckb-update-and-cleanup 2018-11-06 00:47:14 +00:00