1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-02 18:42:15 +00:00
Commit graph

10457 commits

Author SHA1 Message Date
talyz deb58f6486 nixos/keycloak: Document how to use a custom local database 2021-05-04 19:27:08 +02:00
talyz fdf6bb5b95 Revert "nixos/keycloak: use db username in db init scripts"
This reverts commit d9e18f4e7f.

This change is broken, since it doesn't configure the proper database
username in keycloak when provisioning a local database with a custom
username. Its intended behavior is also potentially confusing and
dangerous, so rather than fixing it, let's revert to the old one.
2021-05-04 19:27:08 +02:00
Michele Guerini Rocco 93c5837be5
Merge pull request #121512 from rnhmjoj/searx
searx: set settings.yml permissions using umask
2021-05-04 11:43:12 +02:00
markuskowa 741ed21bea
Merge pull request #121336 from markuskowa/upd-slurm
nixos/slurm: 20.11.5.1 -> 20.11.6.1, improve security
2021-05-04 11:00:35 +02:00
Aaron Andersen aebebb5752
Merge pull request #119325 from ymarkus/bookstack
bookstack: 0.31.7 -> 21.04.3 + nixos/bookstack: use umask before echoing & clear cache before starting
2021-05-03 20:19:39 -04:00
Andreas Rammhold 3ec6977d30
Merge pull request #89572 from rissson/nixos/unbound
nixos/unbound: add settings option, deprecate extraConfig
2021-05-03 21:49:24 +02:00
Luke Granger-Brown 62f675eff6
Merge pull request #121558 from sumnerevans/fix-airsonic-service
airsonic: force use of jre8
2021-05-03 20:43:00 +01:00
Marc 'risson' Schmitt 52f6733203
nixos/unbound: deprecate extraConfig in favor of settings
Follow RFC 42 by having a settings option that is
then converted into an unbound configuration file
instead of having an extraConfig option.

Existing options have been renamed or kept if
possible.

An enableRemoteAccess has been added. It sets remote-control setting to
true in unbound.conf which in turn enables the new wrapping of
unbound-control to access the server locally.  Also includes options
'remoteAccessInterfaces' and 'remoteAccessPort' for remote access.

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2021-05-03 21:27:15 +02:00
Silvan Mosberger a221e6c330
Merge pull request #121172 from eyJhb/bind-list-to-attrs
nixos/bind: refactor zones from a list to attrset
2021-05-03 21:21:22 +02:00
Jean-Baptiste Giraudeau 62f241d445 nixos/oauth2_proxy_nginx: add nginx config only if oauth2_proxy is enabled. 2021-05-03 11:23:03 -07:00
Silvan Mosberger 0111666954
Merge pull request #109561 from mjlbach/init_matrix_dendrite
matrix-dendrite: init at 0.3.11
2021-05-03 20:16:27 +02:00
eyjhb 757a455dde
nixos/bind: refactor zones from a list to attrset
This commit uses coercedTo to make zones a attrset instead of list.
Makes it easier to access/change zones in multiple places.
2021-05-03 20:04:42 +02:00
Michael Lingelbach ff43bbe53e matrix-dendrite: add nixos module 2021-05-03 10:12:24 -07:00
Luke Granger-Brown 049850341e
Merge pull request #121540 from lukegb/postfix-compat
nixos/tests/rspamd: fix OOM flakyness
2021-05-03 17:36:46 +01:00
Martin Weinelt d23610ae65
Merge pull request #121209 from mweinelt/pinnwand 2021-05-03 18:24:45 +02:00
Florian Klink d4e149c8ff
Merge pull request #120048 from flokli/inotify-max-user-instances
nixos/xserver: set fs.inotify.max_user_instances too
2021-05-03 17:45:41 +02:00
Sumner Evans 6dde6bf3bf
airsonic: force use of jre8 2021-05-03 09:41:04 -06:00
Martin Weinelt fda2ff4edc
nixos/pinnwand: add reaper systemd unit/timer
The reap function culls expired pastes outside of the process serving
the pastes. Previously the database could accumulate a large number of
pastes and while they were expired they would not be deleted unless
accessed from the frontend.
2021-05-03 16:52:05 +02:00
Yannick Markus 336f3607d4
nixos/bookstack: use umask before echoing & clear cache before starting 2021-05-03 16:27:38 +02:00
Silvan Mosberger 3e930b7e4a
Merge pull request #121294 from nh2/issue-121288-wireguard-fix-chmod-race
wireguard module: generatePrivateKeyFile: Fix chmod security race
2021-05-03 16:24:42 +02:00
Martin Weinelt ac4b47f823
nixos/pinnwand: improve settings behaviour
Individual settings would previously overwrite the whole config, but
now individual values can be overwritten.

Fix missing slash to make the database path an absolute path per
https://docs.sqlalchemy.org/en/14/core/engines.html#sqlite.

Drop preferred_lexers, it's not set to anything meaningful anyway.
2021-05-03 15:18:12 +02:00
Silvan Mosberger 1245d855b8
Merge pull request #119426 from onixie/master
nixos/kubernetes: allow merging multiple definitions of extraOpts
2021-05-03 14:32:00 +02:00
Robert Hensing 0cf3550c91
Merge pull request #121124 from hercules-ci/cassandra-tidy
cassandra: tidy
2021-05-03 13:41:41 +02:00
José Romildo Malaquias 8073df31a5
Merge pull request #121046 from romildo/fix.xfce
xfce: does not explicitly require a gvfs package
2021-05-03 08:14:56 -03:00
Luke Granger-Brown 4b42da3d85
Merge pull request #120791 from mweinelt/babeld
babeld: 1.9.2 -> 1.10
2021-05-03 10:00:12 +01:00
Luke Granger-Brown d922cad4d6
Merge pull request #119172 from midchildan/package/trafficserver
nixos/trafficserver: init
2021-05-03 09:48:07 +01:00
rnhmjoj 9ea6c1979c
nixos/searx: set settings.yml permissions using umask
This should solve a leakage of secrets as suggested in #121293
2021-05-03 09:53:50 +02:00
Martin Weinelt d67fc76603
Merge pull request #120536 from mweinelt/mosquitto 2021-05-03 00:41:21 +02:00
Martin Weinelt f41349d30d
nixos/home-assistant: Restart systemd unit on restart service
Home-assistant through its `--runner` commandline flag supports sending
exit code 100 when the `homeassistant.restart` service is called.

With `RestartForceExitStatus` we can listen for that specific exit code
and restart the whole systemd unit, providing an actual clean restart
with fresh processes. Additional treat exit code 100 as a successful
termination.
2021-05-03 00:21:25 +02:00
Martin Weinelt 7d09d7f571
nixos/home-assistant: harden systemd service
This is what is still exposed, and it should still allow things to work
as usual.

✗ PrivateNetwork=                    Service has access to the host's …      0.5
✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc…      0.3
✗ DeviceAllow=                       Service has a device ACL with som…      0.1
✗ IPAddressDeny=                     Service does not define an IP add…      0.2
✗ PrivateDevices=                    Service potentially has access to…      0.2
✗ PrivateUsers=                      Service has access to other users       0.2
✗ SystemCallFilter=~@resources       System call allow list defined fo…      0.2
✗ RootDirectory=/RootImage=          Service runs within the host's ro…      0.1
✗ SupplementaryGroups=               Service runs with supplementary g…      0.1
✗ RestrictAddressFamilies=~AF_UNIX   Service may allocate local sockets      0.1

→ Overall exposure level for home-assistant.service: 1.6 OK :-)

This can grow to as much as ~1.9 if you use one of the bluetooth or nmap
trackers or the emulated_hue component, all of which required elevated
permisssions.
2021-05-03 00:21:24 +02:00
Luke Granger-Brown 649672e76e nixos/postfix: fix compatibility level
Postfix has started outputting an error on startup that it can't parse
the compatibility level 9999.

Instead, just set the compatibility level to be identical to the current
version, which seems to be the (new) intent for the compatibility level.
2021-05-02 21:49:33 +00:00
Maximilian Bosch 040f0acccd
Merge pull request #121299 from Ma27/gitea-umask
nixos/gitea: set umask for secret creation
2021-05-02 00:06:20 +02:00
José Romildo Malaquias 472f5a976d xfce: does not explicitly require a gvfs package
- In order to use GIO/GVFS it is enough to enable the gvfs service.

- The module option services.gvfs.package can be used to choose a
  variation of the gvfs package, if desired.
2021-05-01 18:21:57 -03:00
Luke Granger-Brown 152fa5414c
Merge pull request #120209 from considerate/considerate/multiple-tags-buildkite-agents
services.buildkite-agents: support multi-tags
2021-05-01 19:07:56 +01:00
Martin Weinelt a2d1d16af8
nixos/mosquitto: Migrate away from bind_address/port config keys
Fixes these two deprecation warnings, by moving away from these options
towards a simple listener configuration.

> The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true.
> The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead.

Fixes: #120860
2021-05-01 19:46:48 +02:00
Martin Weinelt 33e867620e
nixos/mosquitto: harden systemd unit
It can still network, it can only access the ssl related files if ssl is
enabled.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                  0.1

→ Overall exposure level for mosquitto.service: 1.1 OK 🙂
2021-05-01 19:46:48 +02:00
Luke Granger-Brown be598f3980
Merge pull request #120541 from pennae/fail2ban
nixos/fail2ban: add maxretry/extraPackages options
2021-05-01 15:09:24 +01:00
Luke Granger-Brown d76b075e3c
Merge pull request #121246 from thblt/master
nixos/pcscd: ensure polkit rules are loaded (fix #121121)
2021-05-01 13:30:45 +01:00
lewo 85aef7706e
Merge pull request #120620 from mweinelt/empty-capability-bounding-sets
nixos/{opendkim,rspamd}: Fix CapabilityBoundingSet option
2021-05-01 08:17:19 +02:00
Martin Weinelt 326f86d8cd
Merge pull request #121222 from mweinelt/nginx
nixos/nginx: update hardening settings
2021-05-01 00:36:16 +02:00
Markus Kowalewski d07185f986
nixos/slurm: fix creation of slurmdbd config file
replace cp/chmod by install to avoid security issues.
See https://github.com/NixOS/nixpkgs/issues/121293
2021-05-01 00:15:55 +02:00
Martin Weinelt efb30a191e
Merge pull request #120529 from mweinelt/zigbee2mqtt 2021-04-30 21:59:22 +02:00
Maximilian Bosch 02c3bd2187
nixos/gitea: set umask for secret creation
This ensures that newly created secrets will have the permissions
`0640`. With this change it's ensured that no sensitive information will
be word-readable at any time.

Related to #121293.

Strictly speaking this is a breaking change since each new directory
(including data-files) aren't world-readable anymore, but actually these
shouldn't be, unless there's a good reason for it.
2021-04-30 21:39:11 +02:00
lunik1 248a57d61a
nixos/adguardhome: init (#120568) 2021-04-30 20:55:31 +02:00
Martin Weinelt 62de527dc3
nixos/zigbee2mqtt: start maintaing the module 2021-04-30 20:40:04 +02:00
Martin Weinelt 2b61d9ea01
nixos/zigbee2mqtt: create migration path from config to settings 2021-04-30 20:39:21 +02:00
Martin Weinelt a691549f7e
nixos/zigbee2mqtt: harden systemd unit
This is what is still exposed, and it allows me to control my lamps from
within home-assistant.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                  0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                              0.1
✗ MemoryDenyWriteExecute=                                     Service may create writable executable memory mappings                              0.1

→ Overall exposure level for zigbee2mqtt.service: 1.3 OK 🙂
2021-04-30 19:42:26 +02:00
Martin Weinelt e0f1e1f7bf
nixos/zigbee2mqtt: convert to rfc42 style settings 2021-04-30 19:42:26 +02:00
Niklas Hambüchen 0dc08b4138 wireguard module: generatePrivateKeyFile: Fix chmod security race. Fixes #121288
Until now, the `touch + chmod 600 + write` approach made it possible for
an unprivileged local user read the private key file, by opening
the file after the touch, before the read permissions are restricted.

This was only the case if `generatePrivateKeyFile = true` and the parent
directory of `privateKeyFile` already existed and was readable.

This commit fixes it by using `umask`, which ensures kernel-side that
the `touch` creates the file with the correct permissions atomically.

This commit also:

* Removes `mkdir --mode 0644 -p "${dirOf values.privateKeyFile}"`
  because setting permissions `drw-r--r--` ("nobody can enter that dir")
  is awkward. `drwx------` would perhaps make sense, like for `.ssh`.
  However, setting the permissions on the private key file is enough,
  and likely better, because `privateKeyFile` is about that file
  specifically and no docs suggest that there's something special
  about its parent dir.
* Removes the `chmod 0400 "${values.privateKeyFile}"`
  because there isn't really a point in removing write access from
  the owner of the private key.
2021-04-30 18:55:38 +02:00
Martin Weinelt 506bc7ba02
nixos/nginx: update hardening settings
- Set an explicit umask that allows u+rwx and g+r.
- Adds `ProtectControlGroups` and `ProtectKernelLogs`, there should be
  no need to access either.
- Adds `ProtectClock` to prevent write-access to the system clock.
- `ProtectProc` hides processes from other users within the /proc
  filesystem and `ProcSubSet` hides all files/directories unrelated to
  the process management of the units process.
- Sets `RemoveIPC`, as there is no SysV or POSIX IPC within nginx that I
  know of.
- Restricts the creation of arbitrary namespaces
- Adds a reasonable `SystemCallFilter` preventing calls to @privileged,
  @obsolete and others.

And finally applies some sorting based on the order these options appear
in systemd.exec(5).
2021-04-30 18:49:43 +02:00