1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-18 11:40:45 +00:00
Commit graph

994 commits

Author SHA1 Message Date
Sandro Jäckel 96790120df
nixos/pam: fix writeFile no longer taking null as an argument warning
> evaluation warning: pkgs.writeText "motd": The second argument should be a string, but it's a null instead, which is deprecated. Use `toString` to convert the value to a string first.
2024-08-09 14:20:47 +02:00
Pratham Patel 4074853391
nixos/pam: kwallet: add the forceRun option 2024-08-01 09:51:31 +05:30
Colin 7306423158
nixos/pam: fully-qualify modulePath
this ensures PAM users always get the intended version of a module when
multiple versions of the same module exist on a system.

most packages which consume `pam` and link against `libpam.so` do so only
to access its API, and not because they care about the specific
`pam_<xyz>.so` modules provided by that `pam`. but when specifying
modules by name only, PAM-capable applications may well load the
`pam_<xyz>.so` from the `pam` they were compiled against instead of the
pam declared in `security.pam.package`. by fully qualifying `modulePath`
we ensure that users can actually swap out pam modules without rebuilding
the world.
2024-07-30 23:53:58 +05:30
Colin 7511ed266c
nixos/pam: add security.pam.package option
this can be used to swap out which pam package is actually used by the
system for things like `pam_limits`, `pam_tty_audit`, etc, without forcing
a mass rebuild the way an overlay would.
2024-07-30 23:53:57 +05:30
Sigmanificient 6dd44107ac treewide: remove unused lib (and other) arguments 2024-07-26 11:18:09 +02:00
Masum Reza 13da3c09fb
Merge pull request #327499 from max-privatevoid/pam-kanidm-package-option
nixos/pam: use Kanidm's package option
2024-07-24 09:24:09 +05:30
Arian van Putten 8afba669e2 nixos/wrappers: use normal mount for /run/wrappers
We want to get rid of specialFileSystems / earlyMountScript eventually and
there is no need to run this before systemd anymore now that
the wrappers themselves are set up in a systemd unit since https://github.com/NixOS/nixpkgs/pull/263203

Also this is needed to make soft-reboot work. We want to make sure
that we remount /run/wrappers with the nosuid bit removed on soft-reboot
but because @earlyMountScript@ happens in initrd, this wouldn't happen
2024-07-20 16:07:43 +02:00
Max 1dd44eaf67 nixos/pam: use Kanidm's package option 2024-07-16 00:39:03 +02:00
novenary fcccfb9e48 nixos/pam/u2f: implement RFC0042
This module has a lot of options, so it's a good candidate for freeform
settings.
2024-07-05 17:07:02 +03:00
Jan Tojnar 1369411184 gnome-keyring: Move from gnome scope to top-level
It is on the way out.
2024-07-01 09:35:26 +02:00
Artturin 1ecc3cd35b
Merge pull request #322194 from Artturin/polkitaddpackageoption
nixos/polkit: Add package option
2024-06-26 12:42:38 +03:00
Sandro 33f83c6252
Merge pull request #316977 from eclairevoyant/fix-mkEnableOption
treewide: fix mkEnableOption usage
2024-06-25 22:42:16 +02:00
Artturin b61e0ff19b nixos/polkit: Add package option
Overlaying polkit results in a lot of rebuilds thus it makes sense to
add a package option.

Assists in using the patch needed to fix https://www.github.com/NixOS/nixpkgs/issues/18012
2024-06-24 17:55:41 +03:00
Benjamin Staffin 4530b8f72f
nixos/ipa: Lower default sssd debug_level (#310662)
debug_level 65510 (0x3f7f0) is _extremely_ verbose, far more than one
would want in normal operation.  Setting these in the default config
also makes it difficult to override in a user config.  Anyone who needs
greater verbosity can add these options to their own sssd config, or
adjust them at runtime with `sssctl debug-level`.
2024-06-22 11:31:18 -04:00
Benjamin Staffin e93ccda887
nixos/ipa: Make ipa_hostname configurable (#321588)
Some sites put hosts in domains outside of the IPA server's default
domain, so this needs to be user-configurable.  The default is to use
the system's FQDN if it is configured, otherwise fallback to the
previous default behaviour of assuming the IPA's server's domain.
2024-06-22 11:29:54 -04:00
h7x4 d8ddf6fb6d
Merge pull request #287611 from h7x4/nixos-module-fixup-kerberos-server
nixos/kerberos_server: use krb format generator, plus misc cleanup
2024-06-14 17:04:55 +02:00
éclairevoyant 7d8742da87
treewide: fix mkEnableOption usage 2024-06-14 02:41:42 -04:00
h7x4 195d155a1c
nixos/kerberos_server: use krb format generator, plus misc cleanup
- Introduce more possible options by using the krb format generator.
- Enforce package choice is using a correct package.
- Use meta attribute to decide implementation, allows for overriding the
  package.
- Make necessary changes to the format, to allow for multiple ACL files in
  heimdal.
- Add systemd target and slice for both implementations.
- Move state to `/var/lib`
- Add documentation
2024-06-08 23:29:53 +02:00
Stéphan Kochen d1f07e6382 nixos/acme: allow setting security.acme.defaults.server = null to keep old accounts directory
The accounts directory is based on the hash of the settings.

https://github.com/NixOS/nixpkgs/pull/270221 changed the  default of
security.acme.defaults.server from null to the default letsencrypt URL
however as an unwanted side effect this means the accounts directory
changes and the ACME module will create a new a new account.

This can cause issues with people using CAA records that pin the
account ID or people who have datacenter-scale NixOS deployments

We allow setting this option to null again for people who want
to keep the old account and migrate at their own leisure.

Fixes https://github.com/NixOS/nixpkgs/issues/316608

Co-authored-by: Arian van Putten <arian.vanputten@gmail.com>
2024-06-04 20:09:46 +02:00
aszlig e4bd1e8f92
nixos/confinement: Use prio 100 for RootDirectory
One of the module that already supports the systemd-confinement module
is public-inbox. However with the changes to support DynamicUser and
ProtectSystem, the module will now fail at runtime if confinement is
enabled (it's optional and you'll need to override it via another
module).

The reason is that the RootDirectory is set to /var/empty in the
public-inbox module, which doesn't work well with the InaccessiblePaths
directive we now use to support DynamicUser/ProtectSystem.

To make this issue more visible, I decided to just change the priority
of the RootDirectory option definiton the default override priority so
that whenever another different option is defined, we'll get a conflict
at evaluation time.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:41 +02:00
aszlig 0a9cecc35a
nixos/systemd-confinement: Make / read-only
Our more thorough parametrised tests uncovered that with the changes for
supporting DynamicUser, we now have the situation that for static users
the root directory within the confined environment is now writable for
the user in question.

This is obviously not what we want and I'd consider that a regression.
However while discussing this with @ju1m and my suggestion being to
set TemporaryFileSystem to "/" (as we had previously), they had an even
better idea[1]:

> The goal is to deny write access to / to non-root users,
>
>   * TemporaryFileSystem=/ gives us that through the ownership of / by
>     root (instead of the service's user inherited from
>     RuntimeDirectory=).
>   * ProtectSystem=strict gives us that by mounting / read-only (while
>     keeping its ownership to the service's user).
>
> To avoid the incompatibilities of TemporaryFileSystem=/ mentioned
> above, I suggest to mount / read-only in all cases with
> ReadOnlyPaths = [ "+/" ]:
>
>   ...
>
> I guess this would require at least two changes to the current tests:
>
>   1. to no longer expect root to be able to write to some paths (like
>      /bin) (at least not without first remounting / in read-write
>      mode).
>   2. to no longer expect non-root users to fail to write to certain
>      paths with a "permission denied" error code, but with a
>      "read-only file system" error code.

I like the solution with ReadOnlyPaths even more because it further
reduces the attack surface if the user is root. In chroot-only mode this
is especially useful, since if there are no other bind-mounted paths
involved in the unit configuration, the whole file system within the
confined environment is read-only.

[1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:40 +02:00
Julien Moutinho 0a5542c766
nixos/systemd-confinement: support ProtectSystem=/DynamicUser=
See https://discourse.nixos.org/t/hardening-systemd-services/17147/14
2024-05-13 00:40:25 +02:00
Thomas Gerbet deed6fb8f3
Merge pull request #277626 from nbraud/nixos/pam/ssh-agent-auth-31611-fix
nixos/pam: Use secure default for `sshAgentAuth.authorizedKeysFiles`
2024-04-28 09:24:38 +02:00
Vir Chaudhury 4ca92fb6ec nixos/isolate: init module 2024-04-22 10:19:09 +08:00
Victor Engmark c11815167f nixos/duosec: Split mkdir mode into chmod command for clarity
As recommended by ShellCheck
<https://github.com/koalaman/shellcheck/wiki/SC2174>.
2024-04-22 01:40:55 +10:00
stuebinm 6afb255d97 nixos: remove all uses of lib.mdDoc
these changes were generated with nixq 0.0.2, by running

  nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
  nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
  nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix

two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.

Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
2024-04-13 10:07:35 -07:00
Bjørn Forsman a29010fe79 nixos: improve many 'enable' descriptions 2024-04-09 07:10:17 +02:00
Noah S-C 5c4858ad7b
More specific link to tag spec
Co-authored-by: Aleksana <alexander.huang.y@gmail.com>
2024-04-03 17:52:28 +01:00
Noah Santschi-Cooney 1a5acce391
nixos/sudo: update command options enum for newer sudo version
The enum of allowed command options (NOPASSWD, NOEXEC etc) had not been updated when bumping sudo version.
MAIL/NOMAIL were added in [1.8.13](https://www.sudo.ws/releases/legacy/#1.8.13), FOLLOW/NOFOLLOW were added in [1.8.15](https://www.sudo.ws/releases/legacy/#1.8.15) and INTERCEPT/NOINTERCEPT in [1.9.8](https://www.sudo.ws/releases/stable/#1.9.8)
2024-04-02 15:15:53 +01:00
Janne Heß fcc95ff817 treewide: Fix all Nix ASTs in all markdown files
This allows for correct highlighting and maybe future automatic
formatting. The AST was verified to work with nixfmt only.
2024-03-28 09:28:12 +01:00
Nick Cao cee0d0bac7
nixos/pam: use services.fprintd.package for fprintd rule 2024-03-22 20:14:49 -04:00
Adam C. Stephens b52452f8c7
Merge pull request #291951 from amarshall/zfs-pkgs-renaming
zfs: rename zfsStable -> zfs_2_2; zfsUnstable -> zfs_unstable; remove enableUnstable option in favor of package
2024-03-01 10:09:12 -05:00
K900 8be79e54c5 nixos/pam/kwallet: rename option, allow setting package 2024-02-28 18:49:33 +03:00
Andrew Marshall 2e36c49949 nixos/pam: Do not incorrectly use zfs.enableUnstable in assertion
`zfs.enableUnstable` only has an effect if `zfs.enabled = true`, so only
require `zfs.enabled` to be true here.
2024-02-27 18:46:00 -05:00
Ryan Lahfa d9e7a2a88a
Merge pull request #286857 from RaitoBezarius/cacerts
nixos/security/ca: enable support for compatibility bundles
2024-02-11 19:44:02 +01:00
Raito Bezarius 19159a2349 nixos/security/ca: enable support for compatibility bundles
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use
our NixOS CA bundle.

For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional
trust rules.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-02-11 17:51:00 +01:00
Raito Bezarius 2d78f55438 pam_usb, nixos/pam-usb: drop
`security.pam.usb` is broken anyway and upstream has abandoned the software.
2024-02-08 02:59:45 +01:00
Sandro 4494fcaab7
nixos/acme: default to lets encrypt production URL instead of null, mention lets encrypt staging URI (#270221) 2024-02-06 01:51:09 +01:00
Rhys Davies d102910f47
nixos/pam: Add pam_intune 2024-02-02 10:01:52 +13:00
Pierre Bourdon 3484985991
Merge pull request #285587 from edef1c/wrapper-cve-2023-6246
nixos/modules/security/wrappers: limit argv0 to 512 bytes
2024-02-01 19:18:45 +01:00
edef b4c9840652 nixos/modules/security/wrappers: limit argv0 to 512 bytes
This mitigates CVE-2023-6246, crucially without a mass-rebuild.

Change-Id: I762a0d489ade88dafd3775d54a09f555dc8c2527
2024-02-01 18:16:55 +00:00
Adam Stephens 75ec325cb9
nixos/pam: remove pam_cgfs
pam_cgfs is a cgroups-v1 pam module. Verified with upstream that
this module no longer necessary on cgroups-v2 systems.
2024-01-31 17:19:23 -05:00
éclairevoyant b43dcaf48f
nixos/acme: fix assertion for renamed option 2024-01-19 16:28:56 -05:00
mian | mian fbe9d95ed9
fix semi-colon missing 2024-01-18 16:31:54 +08:00
nicoo bd6966bc4a nixos/pam: Secure default for sshAgentAuth.authorizedKeysFiles
Closes #31611
2024-01-12 13:39:08 +00:00
Peder Bergebakken Sundt dff635f38d
Merge pull request #243169 from 2xsaiko/outgoing/krb5
nixos/krb5: cleanup, fix and RFC42-ify
2024-01-10 21:06:15 +01:00
nicoo 0e5c95035d nixos/pam: Fix use of renamed enableSSHAgentAuth option 2024-01-08 18:13:46 +00:00
Maciej Krüger b5b2f6bec4
Merge pull request #277620 from nbraud/nixos/pam/ssh-agent-auth-31611
nixos/pam: Add option for ssh-agent auth's trusted authorized_keys files
2024-01-08 17:42:02 +01:00
Maciej Krüger c931d73fba
Merge pull request #276499 from nbraud/nixos/pam/ssh-agent-auth
nixos/pam: Add assertion for SSH-agent auth
2024-01-07 13:54:27 +01:00
nicoo 2eac5106f1 nixos/sudo: Remove unused enableSSHAgentAuth let-binding 2024-01-04 17:30:09 +00:00