- based on module originally written by @srhb
- complies with available options in cfssl v1.3.2
- uid and gid 299 reserved in ids.nix
- added simple nixos test case
This reverts a part of 5bd12c694b.
Apparently there's no way to specify user for RuntimeDirectory in systemd
service file (it's always root) but tor won't create control socket if the dir
is owned by anybody except the tor user.
These hardenings were adopted from the upstream service file, checked
against systemd.service(5) and systemd.exec(5) manuals, and tested to
actually work with all the options enabled.
`PrivateDevices` implies `DevicePolicy=closed` according to systemd.exec(5),
removed.
`--RunAsDaemon 0` is the default value according to tor(5), removed.
In AdRoll/hologram#62 support was added to hologram to configure
LDAP-based authorization of which roles a user was allowed to get
credentials for. This adds the ability to configure that.
Additionally, AdRoll/hologram/#94 added support to customize the LDAP
group query, so this also feeds that configuration through.
fixes #37393
Update physlock to a more current version which supports PAM and
systemd-logind. Amongst others, this should work now with the slim
login manager without any additional configuration, because it does
not rely on the utmp mechanism anymore.
* nixos/usbguard: create package and module
No usbguard module or package existed for NixOS previously. USBGuard
will protect you from BadUSB attacks. (assuming configuration is done
correctly)
* nixos/usbguard: remove extra packages
Users can override this by themselves.
* nixos/usbguard: add maintainer and fix style
Before this commit default relay configuration could produce unexpected
real life consequences. This patch makes those choices explicit and
documents them extensively.
* modules sks and pgpkeyserver-lite:
runs the sks keyserver with optional nginx proxy for webgui.
* Add calbrecht to maintainers
* module sks: fix default hkpAddress value
* module pgpkeyserver-lite: make hkpAddress a string type option
and use (builtins.head services.sks.hkpAddress) as default value
* module sks: remove leftover service dependencies
* nixos/tor: add hiddenServices option
This change allows to configure hidden services more conveniently.
* nixos/tor: fix default/example mixup
* nixos/tor: use docbook in documentation
Also use more elegant optionalString for optional strings.
* tor: seperate hidden service port by newline
* tor: better example for hidden service path
a path below /var/lib/tor is usually used for hidden services
Syntax errors prevented important parameters from being passed to
oauth2_proxy, which could have permitted unauthorised access to
services behind the proxy.