1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-19 12:11:28 +00:00
Commit graph

571 commits

Author SHA1 Message Date
zowoq f9bb39e294 nixos/pam: remove trailing whitespace 2020-10-09 18:31:20 +10:00
Miles Breslin 8e628f8eea
nixos/pam: Add option to set pam-u2f appid (#73591) 2020-10-08 14:37:40 -04:00
Jeroen Simonetti cc3ce9a13a nixos/security/acme: Add DNS resolver option
When using the ACME DNS-01 challenge, there is a possibility of a
failure to resolve the challenge if the record is not propagated
fast enough. To circumvent this generic DNS problem, this adds
a setting to explicitly tell the ACME provider to use a certain DNS
resolver to lookup the challenge.

Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
2020-10-07 13:01:08 +02:00
Vladimír Čunát 420f89ceb2
Revert "apparmor: fix and improve the service"
This reverts commit fb6d63f3fd.

I really hope this finally fixes #99236: evaluation on Hydra.
This time I really did check basically the same commit on Hydra:
https://hydra.nixos.org/eval/1618011

Right now I don't have energy to find what exactly is wrong in the
commit, and it doesn't seem important in comparison to nixos-unstable
channel being stuck on a commit over one week old.
2020-10-07 12:22:18 +02:00
Andreas Rammhold 2c0ee52d91
nixos/security/acme: order after nss-lookup.target
This should hopefully solve races with DNS servers (such as unbound)
during the activation of a new generation. Previously unbound could
still be unavailable and thus the acme script would fail.
2020-10-06 22:52:55 +02:00
Tim Steinbach 9646ae97c8
pam: Fix interaction with samba
9544c6078e / #96672 removed the samba option
`syncPasswordsByPam`.
Need to remove this option from the pam module, otherwise it will cause build errors
2020-10-05 09:13:16 -04:00
Doron Behar 9544c6078e
Merge pull request #96672 from doronbehar/module/samba
nixos/samba: remove upstream deprecated syncPasswordsByPam option
2020-10-04 11:29:56 +03:00
Maximilian Bosch d2dc0ae203
nixos/sudo: add package option
The `package`-option is always useful if modifying a package in an
overlay would mean that a lot of other packages need to be rebuilt as
well.

In case of `sudo` this is actually the case: when having an override for
it (e.g. for `withInsults = true;`), you'd have to rebuild e.g. `zfs`
and `grub` although that's not strictly needed.
2020-10-01 13:00:52 +02:00
Andreas Rammhold 9630d5c07f
nixos/security/wrapper: ensure the tmpfs is not world writeable
The /run/wrapper directory is a tmpfs. Unfortunately, it's mounted with
its root directory has the standard (for tmpfs) mode: 1777 (world writeable,
sticky -- the standard mode of shared temporary directories). This means that
every user can create new files and subdirectories there, but can't
move/delete/rename files that belong to other users.
2020-09-28 22:55:20 +02:00
Michael Raskin 31a4e2e28b
Merge pull request #93457 from ju1m/apparmor
apparmor: fix and improve the service
2020-09-27 13:07:38 +00:00
Florian Klink 303078d9ca
Merge pull request #97303 from martinetd/systemd-confinement-list
systemd-confinement: handle ExecStarts etc being lists
2020-09-10 21:17:17 +02:00
nicoo e64d3f60fb nixos/modules/security/rngd: Disable by default
`rngd` seems to be the root cause for slow boot issues, and its functionality is
redundant since kernel v3.17 (2014), which introduced a `krngd` task (in kernel
space) that takes care of pulling in data from hardware RNGs:

> commit be4000bc4644d027c519b6361f5ae3bbfc52c347
> Author: Torsten Duwe <duwe@lst.de>
> Date:   Sat Jun 14 23:46:03 2014 -0400
>
>     hwrng: create filler thread
>
>     This can be viewed as the in-kernel equivalent of hwrngd;
>     like FUSE it is a good thing to have a mechanism in user land,
>     but for some reasons (simplicity, secrecy, integrity, speed)
>     it may be better to have it in kernel space.
>
>     This patch creates a thread once a hwrng registers, and uses
>     the previously established add_hwgenerator_randomness() to feed
>     its data to the input pool as long as needed. A derating factor
>     is used to bias the entropy estimation and to disable this
>     mechanism entirely when set to zero.

Closes: #96067
2020-09-09 21:51:25 -04:00
Thomas Tuegel 053b05d14d
Remove Qt 5.15 from Plasma closure 2020-09-08 08:47:34 -05:00
Dominique Martinet fd196452f0 systemd-confinement: handle ExecStarts etc being lists
systemd-confinement's automatic package extraction does not work correctly
if ExecStarts ExecReload etc are lists.

Add an extra flatten to make things smooth.

Fixes #96840.
2020-09-06 18:55:10 +02:00
Florian Klink d7046947e5
Merge pull request #91121 from m1cr0man/master
Restructure acme module
2020-09-06 18:26:22 +02:00
Julien Moutinho fb6d63f3fd apparmor: fix and improve the service 2020-09-06 07:43:03 +02:00
Lucas Savva 34b5c5c1a4
nixos/acme: More features and fixes
- Allow for key reuse when domains are the only thing that
  were changed.
- Fixed systemd service failure when preliminarySelfsigned
  was set to false
2020-09-06 01:28:19 +01:00
Lucas Savva f57824c915
nixos/acme: Update docs, use assert more effectively 2020-09-05 01:06:29 +01:00
Julien Moutinho 539ae5c932 Revert "apparmor: add apparmor_parser config file"
This reverts commit 2259fbdf4b.
2020-09-05 01:46:12 +02:00
Lucas Savva 67a5d660cb
nixos/acme: Run postRun script as root 2020-09-04 19:34:10 +01:00
Lucas Savva 1b6cfd9796
nixos/acme: Fix race condition, dont be smart with keys
Attempting to reuse keys on a basis different to the cert (AKA,
storing the key in a directory with a hashed name different to
the cert it is associated with) was ineffective since when
"lego run" is used it will ALWAYS generate a new key. This causes
issues when you revert changes since your "reused" key will not
be the one associated with the old cert. As such, I tore out the
whole keyDir implementation.

As for the race condition, checking the mtime of the cert file
was not sufficient to detect changes. In testing, selfsigned
and full certs could be generated/installed within 1 second of
each other. cmp is now used instead.

Also, I removed the nginx/httpd reload waiters in favour of
simple retry logic for the curl-based tests
2020-09-04 01:09:43 +01:00
Lucas Savva 982c5a1f0e
nixos/acme: Restructure module
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests

I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.

I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.

- Fix duplicate systemd rules on reload services

Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
2020-09-02 19:22:43 +01:00
WORLDofPEACE 18348c7829
Merge pull request #96042 from rnhmjoj/loaOf
treewide: completely remove types.loaOf
2020-09-02 08:45:37 -04:00
rnhmjoj 20d491a317
treewide: completely remove types.loaOf 2020-09-02 00:42:50 +02:00
Doron Behar 8cd4d59a32 nixos/samba: remove upstream deprecated syncPasswordsByPam option 2020-08-30 14:29:13 +03:00
Joachim F 18c52dadfe
Merge pull request #96034 from saschagrunert/apparmor
apparmor: add apparmor_parser config file
2020-08-28 08:08:25 +00:00
Lassulus e453860b8f
Merge pull request #86236 from ThibautMarty/fix-nullOr-types
treewide: fix modules options types where the default is null
2020-08-26 18:21:29 +02:00
Izorkin e21e5a9483 nixos/security/misc: add option unprivilegedUsernsClone 2020-08-25 14:18:24 +03:00
Sascha Grunert 2259fbdf4b
apparmor: add apparmor_parser config file
If the config does not exist, then apparmor_parser will throw a warning.
To avoid that and make the parser configurable, we now add a new option
to it.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-08-22 22:59:26 +02:00
Lassulus 8a141825a3
Merge pull request #89779 from jktr/acme-extra-flags
nixos/acme: extra lego flags
2020-08-22 14:29:39 +02:00
Doron Behar a854b77b08 nixos/wrappers: make (u)mount have the +s bit.
See
https://discourse.nixos.org/t/how-to-make-a-derivations-executables-have-the-s-permission/8555
and:
https://www.linuxquestions.org/questions/slackware-14/must-be-superuser-to-use-mount-fstab-is-correct-however-144932/
2020-08-15 21:57:16 +03:00
Florian Klink 962e15aebc nixos: remove StandardOutput=syslog, StandardError=syslog lines
Since systemd 243, docs were already steering users towards using
`journal`:

eedaf7f322

systemd 246 will go one step further, it shows warnings for these units
during bootup, and will [automatically convert these occurences to
`journal`](f3dc6af20f):

> [    6.955976] systemd[1]: /nix/store/hwyfgbwg804vmr92fxc1vkmqfq2k9s17-unit-display-manager.service/display-manager.service:27: Standard output type syslog is obsolete, automatically updating to journal. Please update│······················
 your unit file, and consider removing the setting altogether.

So there's no point of keeping `syslog` here, and it's probably a better
idea to just not set it, due to:

> This setting defaults to the value set with DefaultStandardOutput= in
> systemd-system.conf(5), which defaults to journal.
2020-08-13 18:49:15 +02:00
Sebastien Bourdeauducq ecafef0dd8 pam_p11: add 2020-07-25 09:37:48 +02:00
Mario Rodas af5765b0dc
Merge pull request #85681 from Beskhue/improve-descriptions
nixos/acme: improve some descriptions
2020-07-23 00:03:05 -05:00
datafoo cc37d7edd7 nixos/acme: execute a single lego command
Stop trying to execute `lego renew` if that is not necessary.

Fix #86184.
2020-06-19 14:56:17 +02:00
Cole Helbling 13e2c75c93
nixos/sudo: default rule should be first
In /etc/sudoers, the last-matched rule will override all
previously-matched rules. Thus, make the default rule show up first (but
still allow some wiggle room for a user to `mkBefore` it), before any
user-defined rules.
2020-06-17 17:48:51 -07:00
J. Konrad Tegtmeier-Rottach 1719353619 nixos/acme: add extraLegoRunFlags option 2020-06-08 02:18:31 +02:00
J. Konrad Tegtmeier-Rottach a0189a4c49 nixos/acme: add extraLegoFlags option 2020-06-08 02:17:55 +02:00
Peter Hoeg 66e040eaac nixos/pam: mount encrypted home earlier
This patch was done by curro:

The generated /etc/pam.d/* service files invoke the pam_systemd.so
session module before pam_mount.so, if both are enabled (e.g. via
security.pam.services.foo.startSession and
security.pam.services.foo.pamMount respectively).

This doesn't work in the most common scenario where the user's home
directory is stored in a pam-mounted encrypted volume (because systemd
will fail to access the user's systemd configuration).
2020-06-04 13:14:30 +08:00
Florian Klink 4a85559ffc
Merge pull request #87016 from flokli/nsswitch-cleanup
nixos/nsswitch cleanup nss modules
2020-05-14 14:55:43 +02:00
Timmy Xiao fd13ca9f84 pam: fix spelling mistake in configuration 2020-05-12 15:56:37 -04:00
adisbladis 30236aceaf
Merge pull request #87581 from cole-h/doas
nixos/doas: default rule should be first
2020-05-12 18:38:51 +02:00
Florian Klink 2297508783 nixos/google-oslogin: add to system.nssDatabases.group too
nixos/modules/config/nsswitch.nix uses `passwdArray` for both `passwd`
and `group`, but when moving this into the google-oslogin module in
4b71b6f8fa, it didn't get split
appropriately.
2020-05-11 16:14:50 +02:00
Cole Helbling 01b645e872
nixos/doas: default rule should be first
In /etc/doas.conf, the last-matched rule will override all
previously-matched rules. Thus, make the default rule show up first (but
still allow some wiggle room for a user to `mkBefore` it), before any
user-defined rules.
2020-05-10 22:14:16 -07:00
Dominique Martinet 4c81174f4c
nixos/confinement: add conflict for ProtectSystem service option
Systemd ProtectSystem is incompatible with the chroot we make
for confinement. The options is redundant with what we do anyway
so warn if it had been set and advise to disable it.

Merges: https://github.com/NixOS/nixpkgs/pull/87420
2020-05-10 19:25:41 +02:00
Cole Helbling 446fb0097a
nixos/doas: init
`doas` is a lighter alternative to `sudo` that "provide[s] 95% of the
features of `sudo` with a fraction of the codebase" [1]. I prefer it to
`sudo`, so I figured I would add a NixOS module in order for it to be
easier to use. The module is based off of the existing `sudo` module.

[1] https://github.com/Duncaen/OpenDoas
2020-05-04 15:56:06 -07:00
Florian Klink 7457c78989
Merge pull request #86347 from m1cr0man/dnsdocs
nixos/acme: update documentation
2020-05-04 14:11:28 +02:00
Yegor Timoshenko 235f4c4a91
Merge pull request #83121 from emilazy/acme-use-ec256
nixos/acme: change default keyType to ec256
2020-05-03 12:41:23 +03:00
Lucas Savva 037ef70d5c
nixos/acme: fix incorrect example 2020-05-02 00:07:50 +01:00
Lucas Savva c9f6e5f161
nixos/acme: indicate support for other providers 2020-05-01 18:23:16 +01:00