1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-03 02:51:18 +00:00
Commit graph

666 commits

Author SHA1 Message Date
Peter Hoeg 22a500a3f8 pam_mount: do not re-prompt for password
nixos-rebuild test causes pam_mount to prompt for a password when running with
an encrypted home:

building '/nix/store/p6bflh7n5zy2dql8l45mix9qnzq65hbk-nixos-system-mildred-18.09.git.98592c5da79M.drv'...
activating the configuration...
setting up /etc...
reenter password for pam_mount:
(mount.c:68): Messages from underlying mount program:
(mount.c:72): crypt_activate_by_passphrase: File exists
(pam_mount.c:522): mount of /dev/mapper/vg0-lv_home_peter failed
kbuildsycoca5 running...

This change makes pam_mount not prompt. It still tries to remount (and fails in
the process) but that message can be ignored.

Fixes: #44586
2021-10-27 08:53:15 +08:00
Martin Weinelt 1c20719373
Merge pull request #139311 from NinjaTrappeur/nin-acme-fix-webroot 2021-10-25 20:27:29 +02:00
Naïm Favier 2ddc335e6f
nixos/doc: clean up defaults and examples 2021-10-04 12:47:20 +02:00
Félix Baylac-Jacqué 73846b372f
nixos/acme: add webroots to ReadWritePaths
Since 7a10478ea7, all /var except
/var/lib/acme gets mounted in a read-only fashion. This behavior
breaks the existing acme deployments having a webroot set outside of
/var/lib/acme.

Collecting the webroots and adding them to the paths read/write
mounted to the systemd service runtime tree.

Fixes #139310
2021-10-04 10:08:35 +02:00
Michele Guerini Rocco 2fcef20cb1
Merge pull request #138600 from austinbutler/tpm2-tss-group
nixos/tpm2: define group, fix after #133166
2021-09-20 18:34:39 +02:00
Austin Butler 8b6fa3c821 nixos/tpm2: define group, fix after NixOS#133166 2021-09-19 12:40:54 -07:00
rnhmjoj 1bd7260adb
nixos/lock-kernel-modules: reorder before/after
Moving the service before multi-user.target (so the `hardened` test
continue to work the way it did before) can result in locking the kernel
too early. It's better to lock it a bit later and changing the test to
wait specifically for the disable-kernel-module-loading.service.
2021-09-19 12:06:00 +02:00
Guillaume Girol ceb2e6667b
Merge pull request #126289 from rnhmjoj/wrappers
nixos/security/wrappers: make well-typed
2021-09-18 15:28:49 +00:00
rnhmjoj dc34788a25
nixos/lock-kernel-modules: use udevadm settle
Instead of relying on systemd-udev-settle, which is deprecated,
directly call `udevamd settle` to wait for hardware to settle.
2021-09-15 14:36:50 +02:00
rnhmjoj 65e83b0e23
nixos: fix nobody/nogroup in security.wrappers 2021-09-13 13:48:13 +02:00
rnhmjoj fedd7cd690
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you
to think about what the wrapper ownership and permissions will be.
2021-09-13 13:48:13 +02:00
rnhmjoj 8f76a6eefc
nixos: add implict security.wrappers options
This is to keep the same permissions/setuid/setgid as before the change
in security.wrappers defaults.
2021-09-13 13:48:13 +02:00
rnhmjoj 27dcb04cde
nixos/security/wrappers: remove WRAPPER_PATH
This appears to be a leftover from 628e6a83.
2021-09-13 13:48:13 +02:00
rnhmjoj 936e8eaf41
nixos/security/wrappers: fix shell quoting 2021-09-13 13:48:12 +02:00
rnhmjoj 7d8b303e3f
nixos/security/wrappers: check that sources exist
Add a shell script that checks if the paths of all wrapped programs
actually exist to catch mistakes. This only checks for Nix store paths,
which are always expected to exist at build time.
2021-09-13 10:38:04 +02:00
rnhmjoj 22004f7e8f
nixos/security/wrappers: use fixed defaults
To keep backward compatibility and have a typing would require making
all options null by default, adding a defaultText containing the actual
value, write the default value logic based on `!= null` and replacing
the nulls laters. This pretty much defeats the point of having used
a submodule type.
2021-09-12 21:43:25 +02:00
rnhmjoj 904f68fb0f
nixos/security/wrappers: make well-typed
The security.wrappers option is morally a set of submodules but it's
actually (un)typed as a generic attribute set. This is bad for several
reasons:

1. Some of the "submodule" option are not document;
2. the default values are not documented and are chosen based on
   somewhat bizarre rules (issue #23217);
3. It's not possible to override an existing wrapper due to the
   dumb types.attrs.merge strategy;
4. It's easy to make mistakes that will go unnoticed, which is
   really bad given the sensitivity of this module (issue #47839).

This makes the option a proper set of submodule and add strict types and
descriptions to every sub-option. Considering it's not yet clear if the
way the default values are picked is intended, this reproduces the current
behavior, but it's now documented explicitly.
2021-09-12 21:43:03 +02:00
Guillaume Girol bc3bca822a nixos: define the primary group of users where needed 2021-09-12 14:59:30 +02:00
Zhaofeng Li 59af7f0a2b apparmor: Fix cups-client typo 2021-08-23 00:50:15 -07:00
Jörg Thalheim 9b962429be
Merge pull request #133014 from Mic92/fix-pam
nixos: reduce pam files rebuilds on updates
2021-08-20 23:23:42 +01:00
Jörg Thalheim 1645acf1d3 nixos: reduce pam files rebuilds on updates
Before whenever environment variables changed, pam files had to be
rebuild.

This is expensive since each file needs its own sandbox set up.
2021-08-20 23:43:30 +02:00
Malte Tammena 891e537592 Fix security.pam.yubico.challengeResponsePath type
The config is optional and may be left `null`.
2021-08-17 16:55:50 +02:00
Guillaume Girol f626a23cd3
Merge pull request #130522 from Mic92/polkit
nixos/polkit: put polkituser into polkituser group
2021-08-08 15:09:15 +00:00
Martin Weinelt f49b03c40b
Merge pull request #123258 from mweinelt/acme-hardening 2021-08-08 15:50:24 +02:00
Jörg Thalheim b5f5a5e341 nixos/polkit: put polkituser into polkitgroup 2021-07-18 08:58:30 +02:00
mlatus 43ca464e37 nixos/pam: allow users to set the path to store challenge and expected responsed used by yubico_pam 2021-07-17 15:05:31 +08:00
Martin Weinelt 7a10478ea7
nixos/acme: harden systemd units 2021-07-06 15:16:01 +02:00
Martin Weinelt dc940ecdb3
Merge pull request #121750 from m1cr0man/master
nixos/acme: Ensure certs are always protected
2021-07-06 15:10:54 +02:00
Jörg Thalheim e12188c0f2
nixos/systemd-confinment: use /var/empty as chroot mountpoint
bind mounting directories into the nix-store breaks nix commands.
In particular it introduces character devices that are not supported
by nix-store as valid files in the nix store. Use `/var/empty` instead
which is designated for these kind of use cases. We won't create any
files beause of the tmpfs mounted.
2021-07-01 08:01:18 +02:00
Jörg Thalheim 1e125a8002
Merge pull request #122674 from wakira/pam-order
nixos/pam: prioritize safer auth methods over fingerprints
2021-06-26 16:52:25 +02:00
Jenny 7bf7d9f8a7
nixos/pam_mount: add support for FUSE-filesystems (#126069) 2021-06-08 22:06:28 +02:00
Niklas Hambüchen fdca90d07f
docs: acme: Fix typo 2021-06-06 14:27:13 +02:00
Sandro 44327ab7dc
Merge pull request #124991 from ju1m/apparmor 2021-06-01 15:26:30 +02:00
Vincent Bernat 632c8e1d54
nixos/acme: don't use --reuse-key
Reusing the same private/public key on renewal has two issues:

 - some providers don't accept to sign the same public key
   again (Buypass Go SSL)

 - keeping the same private key forever partly defeats the purpose of
   renewing the certificate often

Therefore, let's remove this option. People wanting to keep the same
key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the
previous behavior. Alternatively, we could put this as an option whose
default value is true.
2021-06-01 00:43:45 +02:00
Julien Moutinho 61654ca131 nixos/pam: use new plasma5Packages, fixes #124973 2021-05-30 21:44:25 +02:00
ajs124 e2cf342ba9 nixos/security/apparmor: utillinux -> util-linux 2021-05-17 17:14:08 +02:00
Keshav Kini 348858f297 nixos/security.pki: handle PEMs w/o a final newline
According to the ABNF grammar for PEM files described in [RFC
7468][1], an eol character (i.e. a newline) is not mandatory after the
posteb line (i.e. "-----END CERTIFICATE-----" in the case of
certificates).

This commit makes our CA certificate bundler expression account for
the possibility that files in config.security.pki.certificateFiles
might not have final newlines, by using `awk` instead of `cat` to
concatenate them. (`awk` prints a final newline from each input file
even if the file doesn't end with a newline.)

[1]: https://datatracker.ietf.org/doc/html/rfc7468#section-3
2021-05-16 17:23:11 -07:00
Lucas Savva 083aba4f83 nixos/acme: Ensure certs are always protected
As per #121293, I ensured the UMask is set correctly
and removed any unnecessary chmod/chown/chgrp commands.
The test suite already partially covered permissions
checking but I added an extra check for the selfsigned
cert permissions.
2021-05-15 12:41:33 +01:00
Sheng Wang e0adda4113
nixos/pam: prioritize safer auth methods over fingerprints
Currently if fprintd is enabled, pam will ask for fingerprint
regardless of other configured authentication modules (e.g. yubikey).

This change make fingerprint the last resort of authentication before asking for password.
2021-05-12 13:25:08 +09:00
github-actions[bot] bc1f4b790e
Merge master into staging-next 2021-05-09 12:23:16 +00:00
Michele Guerini Rocco e5452226af
Merge pull request #121791 from dotlambda/sudo-execWheelOnly
nixos/sudo: add option execWheelOnly
2021-05-09 10:04:15 +02:00
Robert Schütz 5624aa9f81 nixos/sudo: add option execWheelOnly
By setting the executable's group to wheel and permissions to 4510, we
make sure that only members of the wheel group can execute sudo.
2021-05-08 23:48:00 +02:00
Martin Weinelt 9651084620 Merge remote-tracking branch 'origin/master' into staging-next 2021-05-08 14:43:43 +02:00
Jan Tojnar 468cb5980b gnome: rename from gnome3
Since GNOME version is now 40, it no longer makes sense to use the old attribute name.
2021-05-08 09:47:42 +02:00
Julien Moutinho b42a0e205d nixos/apparmor: disable killUnconfinedConfinables by default 2021-04-23 07:20:20 +02:00
Julien Moutinho 45e5d726b2 nixos/apparmor: improve code readability 2021-04-23 07:20:19 +02:00
Julien Moutinho 8f9b29d168 apparmor: 2.13.5 -> 3.0.0 2021-04-23 07:17:56 +02:00
Julien Moutinho 27032f4dd6 nixos/apparmor: fix logprof.conf generation 2021-04-23 07:17:56 +02:00
Tony Olagbaiye fca06b142a nixos/apparmor: remove an IFD
First because IFD (import-from-derivation) is not allowed on hydra.nixos.org,
and second because without https://github.com/NixOS/hydra/pull/825
hydra-eval-jobs crashes instead of skipping aggregated jobs which fail
(here because they required an IFD).
2021-04-23 07:17:55 +02:00
Julien Moutinho 05d334cfe2 Revert "Revert "apparmor: fix and improve the service""
This reverts commit 420f89ceb2.
2021-04-23 07:17:55 +02:00