1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-25 03:17:13 +00:00
Commit graph

473 commits

Author SHA1 Message Date
aszlig ac64ce9945
nixos: Add 'chroot' options to systemd.services
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.

However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.yourservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      chroot.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.

In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".

Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.

However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).

Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.

Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.

[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
     to make room for a *real* "full" confinement mode, which is more
     restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:01 +01:00
Silvan Mosberger 02db11d369
Merge pull request #55792 from sdier/fix/pam-update
Allow duosec to be used in nixos as a pam module.
2019-02-25 01:38:51 +01:00
Scott Dier a3273e85e3 nixos/security: Fix pam configuration file generation. 2019-02-24 22:49:01 +00:00
Scott Dier 4e9ac79ef5 nixos/security: Allow configuration of pam for duosec. 2019-02-24 22:49:01 +00:00
Scott Dier 096e66a8ad nixos/security: Add duo-unix support to pam.
Also whitespace cleanup of surrounding code.
2019-02-24 22:48:56 +00:00
Symphorien Gibol a915b33315 nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
Florian Klink d3c2ed21d0
Merge pull request #53762 from ju1m/nslcd
Improving integration of `nslcd`, PAM and `openldap`.
2019-01-30 19:34:40 +01:00
Wael Nasreddine f072cfe1eb
nixos/pam: refactor U2F, docs about u2f_keys path (#54756)
* change enableU2F option to u2f.* set
* add few u2f options (not all) to customize pam-u2f module
* document default u2f_keys locations

Co-authored-by: Tomasz Czyż <tomasz.czyz@gmail.com>
Co-authored-by: Arda Xi <arda@ardaxi.com>
2019-01-29 08:45:26 -08:00
Julien Moutinho 65cfba23af nixos/tests: test LDAP password changing through nslcd
NOTE: slapd.conf is deprecated, hence use cn=config.
2019-01-18 05:13:42 +01:00
Joachim Fasting ea4f371627
nixos/security/misc: expose SMT control option
For the hardened profile disable symmetric multi threading.  There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however.  This is in keeping with OpenBSD
defaults.

TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation.  Write to
/sys/devices/system/cpu/smt/control
2018-12-27 15:00:49 +01:00
Joachim Fasting e9761fa327
nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
2018-12-27 15:00:48 +01:00
Joachim Fasting 84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Joachim Fasting 9db84f6fcd
nixos/security/misc: use mkMerge for easier extension 2018-12-27 15:00:46 +01:00
Florian Klink c6de45c0d7 config.security.googleOsLogin: add module
The OS Login package enables the following components:
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
profile during ssh authentication phase.
NSS Module to provide user and group information
PAM Module for the sshd service, providing authorization and
authentication support, allowing the system to use data stored in
Google Cloud IAM permissions to control both, the ability to log into
an instance, and to perform operations as root (sudo).
2018-12-21 17:52:37 +01:00
Florian Klink be5ad774bf security.pam.services.<name?>.: add googleOsLogin(AccountVerification|Authentication) 2018-12-21 17:52:37 +01:00
Florian Klink d180bf3862 security.pam: make pam_unix.so required, not sufficient
Having pam_unix set to "sufficient" means early-succeeding account
management group, as soon as pam_unix.so is succeeding.

This is not sufficient. For example, nixos modules might install nss
modules for user lookup, so pam_unix.so succeeds, and we end the stack
successfully, even though other pam account modules might want to do
more extensive checks.

Other distros seem to set pam_unix.so to 'required', so if there are
other pam modules in that management group, they get a chance to do some
validation too.

For SSSD, @PsyanticY already added a workaround knob in
https://github.com/NixOS/nixpkgs/pull/31969, while stating this should
be the default anyway.

I did some thinking in what could break - after this commit, we require
pam_unix to succeed, means we require `getent passwd $username` to
return something.
This is the case for all local users due to the passwd nss module, and
also the case for all modules installing their nss module to
nsswitch.conf - true for ldap (if not explicitly disabled) and sssd.

I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss
module loaded? Should the pam account module be placed before pam_unix?

We don't drop the `security.pam.services.<name?>.sssdStrictAccess`
option, as it's also used some lines below to tweak error behaviour
inside the pam sssd module itself (by changing it's 'control' field).

This is also required to get admin login for Google OS Login working
(#51566), as their pam_oslogin_admin accounts module takes care of sudo
configuration.
2018-12-21 15:31:07 +01:00
Gabriel Ebner 20078fd5b2 nixos/rngd: do not pass --version flag 2018-11-05 10:41:38 +01:00
Will Dietz afdf16b714 apparmor-suid: don't force glibc
(cherry picked from commit 131131e58fc66365854f37f4fe2bf6ca01c8aed6)
2018-10-30 19:50:47 -05:00
Léo Gaspard 888034f6ca
dhparams module: add self as maintainer 2018-10-31 01:05:35 +09:00
Renaud deacd0bd73
nixos/rngd: fix exec flags and udev rules
TPM1.2 support has been dropped in rng-tools v6.5
see caef8cce97

rngd won't access /dev/tpm0 anymore and the "--no-tpm=1" option is now unrecognised
2018-10-28 17:31:35 +01:00
Renaud b2f6aa0069
nixos/rngd: use new name pkgs.rng-tools
Instead of pkgs.rng_tools which is now an alias
2018-10-24 13:46:08 +02:00
Linus Heckemann 45981145ad nixos/wrappers: remove outdated upgrade code
As mentioned in the code comments themselves, this was only necessary
for 16.09 -> 17.03 and as such is obsolete.
2018-10-21 15:12:36 +02:00
Joachim F 205aff5a65
Merge pull request #48439 from joachifm/hardened-misc
nixos/security/misc: init
2018-10-15 21:25:42 +00:00
Joachim Fasting f4ea22e5de
nixos/security/misc: init
A module for security options that are too small to warrant their own module.

The impetus for adding this module is to make it more convenient to override
the behavior of the hardened profile wrt user namespaces.
Without a dedicated option for user namespaces, the user needs to
1) know which sysctl knob controls userns
2) know how large a value the sysctl knob needs to allow e.g.,
   Nix sandbox builds to work

In the future, other mitigations currently enabled by the hardened profile may
be promoted to options in this module.
2018-10-15 23:11:37 +02:00
Joachim Fasting e619998eb3
nixos/lock-kernel-modules: add myself to maintainers 2018-10-15 01:33:30 +02:00
Jörg Thalheim b12c759f76
Merge pull request #47563 from jameysharp/unscripted
Replace several activation script snippets with declarative configuration
2018-10-02 19:21:34 +01:00
Jamey Sharp b63f65aea0 nixos/pam: create wtmp/lastlog iff using pam_lastlog
I think pam_lastlog is the only thing that writes to these files in
practice on a modern Linux system, so in a configuration that doesn't
use that module, we don't need to create these files.

I used tmpfiles.d instead of activation snippets to create the logs.
It's good enough for upstream and other distros; it's probably good
enough for us.
2018-09-30 11:08:12 -07:00
Jamey Sharp ae3d3b0fff nixos/polkit: use tmpfiles to clean old dirs
These don't need to get cleaned up during activation; that can wait
until systemd-tmpfiles-setup runs.
2018-09-30 11:08:11 -07:00
Graham Christensen 8413f22bb3
docs: format 2018-09-29 20:51:11 -04:00
Robin Gloster 515a7aa452
acme module: fix self-signed cert with openssl 1.1 2018-09-12 13:40:46 +02:00
Graham Christensen 34d2ec7c09
nixos docs: give IDs to things 2018-09-01 16:20:49 -04:00
Matthew Bauer 1b40dda8a7
Merge pull request #42834 from Synthetica9/patch-1
security.sudo.extraRules: documentation fix
2018-07-23 11:29:18 -04:00
Jörg Thalheim e9ff0f9448
Merge pull request #43863 from volth/unused4
[bot] nixos/*: remove unused arguments in lambdas
2018-07-21 16:39:08 +01:00
volth 2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
volth 6d2857a311 [bot] treewide: remove unused 'inherit' in let blocks 2018-07-20 19:38:19 +00:00
volth 87f5930c3f [bot]: remove unreferenced code 2018-07-20 18:48:37 +00:00
Joachim F 3ea5b15c20
Merge pull request #42845 from ivanbrennan/nixos-sudo-describe-rules-precedence
nixos/security.sudo: Document ordering of extraRules
2018-07-02 23:55:56 +00:00
ivanbrennan d08967a3a8
nixos/security.sudo: describe extraRules order
The order of sudoers entries is significant. The man page for sudoers(5)
notes:

  Where there are multiple matches, the last match is used (which is not
  necessarily the most specific match).

This module adds a rule for group "wheel" matching all commands. If you
wanted to add a more specific rule allowing members of the "wheel" group
to run command `foo` without a password, you'd need to use mkAfter to
ensure your rule comes after the more general rule.

  extraRules = lib.mkAfter [
    {
      groups = [ "wheel" ];
      commands = [
        {
          command = "${pkgs.foo}/bin/foo";
          options = [ "NOPASSWD" "SETENV" ];
        }
      ]
    }
  ];

Otherwise, when configuration options are merged, if the general rule
ends up after the specific rule, it will dictate the behavior even when
running the `foo` command.
2018-07-01 15:50:51 -04:00
Patrick Hilhorst 38b7233f83
Update sudo.nix
Updated example for security.sudo.extraRules to match comment
2018-07-01 13:23:55 +02:00
Florian Klink fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Niklas Hambüchen 7f79a4fe11 manual: Clarify that limits.conf doesn't apply to systemd services. (#40267)
Say how systemd services can be set instead.

Sources:

* https://bugzilla.redhat.com/show_bug.cgi?id=754285
* https://ro-che.info/articles/2017-03-26-increase-open-files-limit

Signed-off-by: Niklas Hambüchen <mail@nh2.me>
2018-05-12 17:44:57 +02:00
aszlig 78b4b90d6c
Merge pull request #39526 (improve dhparams)
This introduces an option that allows us to turn off stateful generation
of Diffie-Hellman parameters, which in some way is still "stateful" as
the generated DH params file is non-deterministic.

However what we can avoid with this is to have an increased surface for
failures during system startup, because generation of the parameters is
done during build-time.

Aside from adding a NixOS VM test it also restructures the type of the
security.dhparams.params option, so that it's a submodule.

A new defaultBitSize option is also there to allow users to set a
system-wide default.

I added a release notes entry that described what has changed and also
included a few notes for module developers using this module, as the
first usage already popped up in NixOS/nixpkgs#39507.

Thanks to @Ekleog and @abbradar for reviewing.
2018-05-08 02:09:46 +02:00
Matthew Justin Bauer 11df600bf8
Merge pull request #39680 from bgamari/fix-acme-post-stop
nixos/acme: Fix broken post-stop script
2018-05-07 04:19:49 +00:00
aszlig 81fc2c3509
nixos/dhparams: Add a defaultBitSize option
This allows to set the default bit size for all the Diffie-Hellman
parameters defined in security.dhparams.params and it's particularly
useful so that we can set it to a very low value in tests (so it doesn't
take ages to generate).

Regardless for the use in testing, this also has an impact in production
systems if the owner wants to set all of them to a different size than
2048, they don't need to set it individually for every params that are
set.

I've added a subtest to the "dhparams" NixOS test to ensure this is
working properly.

Signed-off-by: aszlig <aszlig@nix.build>
2018-05-07 04:58:52 +02:00
Graham Christensen d1165dba99
Merge pull request #38831 from rdnetto/improve-cross-refs
Improve cross referencing in NixOS Manual
2018-04-30 21:30:20 -04:00
aszlig b3d5ca8359
nixos/dhparams: Set default bit size to 2048
@Ekleog writes in https://github.com/NixOS/nixpkgs/pull/39526:

> I think a default of 4096 is maybe too much? See certbot/certbot#4973;
> Let's Encrypt supposedly know what they are doing and use a
> pre-generated 2048-bit DH params (and using the same DH params as
> others is quite bad, even compared to lower bit size, if I correctly
> remember the attacks available -- because it increases by as much the
> value of breaking the group).

> Basically I don't have anything personal against 4096, but fear it may
> re-start the arms race: people like having "more security" than their
> distributions, and having NixOS already having more security than is
> actually useful (I personally don't know whether a real-size quantum
> computer will come before or after our being able to break 2048-bit
> keys, let alone 3072-bit ones -- see wikipedia for some numbers).

> So basically, I'd have set it to 3072 in order to both decrease build
> time and avoid having people setting it to 8192 and complaining about
> how slow things are, but that's just my opinion. :)

While he suggests is 3072 I'm using 2048 now, because it's the default
of "openssl dhparam". If users want to have a higher value, they can
still change it.

Signed-off-by: aszlig <aszlig@nix.build>
2018-04-30 05:53:38 +02:00
Ben Gamari 7d68eadf37 nixos/acme: Fix broken post-stop script
Previously the script would contain an empty `if` block (which is invalid
syntax) if both `data.activationDelay == null` and `data.postRun == ""`. Fix
this by adding a no-op `true`.
2018-04-29 13:32:02 -04:00
aszlig ce87773867
nixos/dhparams: Clean up module expression
First of all let's start with a clean up the multiline string
indentation for descriptions, because having two indentation levels
after description is a waste of screen estate.

A quick survey in the form of the following also reveals that the
majority of multiline strings in nixpkgs is starting the two beginning
quotes in the same line:

$ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l
817
$ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l
14818

The next point is to get the type, default and example attributes on top
of the description because that's the way it's rendered in the manual.

Most services have their enable option close to the beginning of the
file, so let's move it to the top.

Also, I found the script attribute for dhparams-init.service a bit hard
to read as it was using string concatenation to split a "for" loop.

Now for the more substantial clean ups rather than just code style:

  * Remove the "with lib;" at the beginning of the module, because it
    makes it easier to do a quick check with "nix-instantiate --parse".
  * Use ConditionPathExists instead of test -e for checking whether we
    need to generate the dhparams file. This avoids spawning a shell if
    the file exists already and it's probably more common that it will
    exist, except for the initial creation of course.
  * When cleaning up old dhparams file, use RemainAfterExit so that the
    unit won't be triggered again whenever we stop and start a service
    depending on it.
  * Capitalize systemd unit descriptions to be more in par with most
    other unit descriptions (also see 0c5e837b66).
  * Use "=" instead of "==" for conditionals using []. It's just a very
    small nitpick though and it will only fail for POSIX shells. Bash on
    the other side accepts it anyway.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog
2018-04-26 08:04:52 +02:00
aszlig 3e11ff6e0d
nixos/dhparams: Introduce a 'stateful' option
This option allows us to turn off stateful generation of Diffie-Hellman
parameters, which in some way is still stateful as the generated DH
params file is non-deterministic.

However what we can avoid with this is to have an increased surface for
failures during system startup, because generation of the parameters is
done during build-time.

Another advantage of this is that we no longer need to take care of
cleaning up the files that are no longer used and in my humble opinion I
would have preferred that #11505 (which puts the dhparams in the Nix
store) would have been merged instead of #22634 (which we have now).

Luckily we can still change that and this change gives the user the
option to put the dhparams into the Nix store.

Beside of the more obvious advantages pointed out here, this also
effects test runtime if more services are starting to use this (for
example see #39507 and #39288), because generating DH params could take
a long time depending on the bit size which adds up to test runtime.

If we generate the DH params in a separate derivation, subsequent test
runs won't need to wait for DH params generation during bootup.

Of course, tests could still mock this by force-disabling the service
and adding a service or activation script that places pre-generated DH
params in /var/lib/dhparams but this would make tests less readable and
the workaround would have to be made for each test affected.

Note that the 'stateful' option is still true by default so that we are
backwards-compatible with existing systems.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog, @abbradar, @fpletz
2018-04-26 08:04:50 +02:00
aszlig 761266bd18
nixos/dhparams: Turn params into a submodule
We're going to implement an option which allows us to turn off stateful
handling of Diffie-Hellman parameter files by putting them into the Nix
store.

However, modules now might need a way to reference these files, so we
add a now path option to every param specified, which carries a
read-only value of the path where to find the corresponding DH params
file.

I've also improved the description of security.dhparams.params a bit so
that it uses <warning/> and <note/>.

The NixOS VM test also reflects this change and checks whether the old
way to specify the bit size still works.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog
2018-04-26 08:04:48 +02:00
Gregor Kleen 79eebad055 Fix incorrect merge 2018-04-21 22:34:39 +02:00
Matthew Justin Bauer 1eea73eaa8
Merge branch 'master' into feat/acme/delay 2018-04-21 14:53:23 -05:00
Matthew Justin Bauer aeff4242db
Merge pull request #31969 from Assassinkin/master
Update sssd integration with pam as documented by RedHat
2018-04-21 14:36:47 -05:00
Nikolay Amiantov 4fc0b4edca acme service: generate a CA for self-signed certificate
This is needed because simp_le expects two certificates in fullchain.pem, leading to error:

> Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1.

We now create a CA and sign the key with it instead, providing correct fullchain.pem.

Also cleanup service a bit -- use PATH and a private temporary directory (which
is more suitable).
2018-04-17 12:53:29 +03:00
Reuben D'Netto 42a84598fb Added cross-references to NixOS manual 2018-04-12 09:39:14 +10:00
Frederik Rietdijk 0aa59a08d6 Merge master into staging 2018-04-09 15:12:32 +02:00
Jörg Thalheim e8cfda7f13 lxc: enable pam_cgfs and fix module
pam_cgfs was part in lxcfs before and moved here

fixes #37985
2018-04-09 08:15:00 +01:00
Matthew Justin Bauer 75616ceb49
Merge pull request #37840 from matthewbauer/unixtools
Cross-platform "unixtools"
2018-03-27 18:43:03 -05:00
Will Dietz cb30a1b425 wrapper.c: fixup includes to work w/musl 2018-03-25 18:06:02 -05:00
Wout Mertens 527e97f333
acme module: update for simp_le v0.8
Hopefully fixes #37689
2018-03-24 17:43:32 +01:00
Geoffrey Huntley a88ec5e8a5 duosec: use root uid as sshd uid has been retired (#33597)
* fix: use root uid as sshd uid has been retired

fixes https://github.com/NixOS/nixpkgs/issues/10088
related PR (abandoned) at https://github.com/NixOS/nixpkgs/pull/15391

* must use "sshd" user otherwise duosec does not work in multi user mode

see https://github.com/duosecurity/duo_unix/issues/89#issuecomment-272062632
2018-03-21 18:46:35 -05:00
giraffito b9639d7e1f
nixos/security: fix description of sudo.wheelNeedsPassword
the previous description mistakenly described the opposite semantics
2018-03-16 21:50:46 +00:00
Shea Levy a183563cf0
Revert "Merge branch 'setuid-wrapper-readlink'"
Kernel symlinks don't have st_size. Really thought I tested this, guess I ran the
wrong NixOS test :(

This reverts commit 6dab907ebe, reversing
changes made to eab479a5f0.
2018-03-07 17:09:05 -05:00
Shea Levy dffa3d2b1f
nixos: setuid-wrapper: simplify readlink logic 2018-03-07 11:57:43 -05:00
Shea Levy fec543436d
nixos: Move uses of stdenv.shell to runtimeShell. 2018-03-01 14:38:53 -05:00
Shea Levy fe406d66b2
nixos: sudo: Use build-time visudo for syntax check. 2018-02-28 15:01:33 -05:00
Jan Tojnar a31d98f312
tree-wide: autorename gnome packages to use dashes 2018-02-25 17:41:16 +01:00
Dawid Ciężarkiewicz 5c746a0a84 nixos/pam: support for Google Authenticator 2018-02-09 21:09:03 -08:00
Robert Schütz b5ecdfa977 nixos/acme: Fix xml (#34683) 2018-02-06 23:27:28 +00:00
Joachim Schiele edeacd00ad security.acme: default name value via module system (#34388) 2018-02-06 21:08:57 +00:00
Leon Schuermann f297ddb5c9 sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
zimbatm 1276a3b12a
nixos/acme: configurable TOS hash (#33522)
This hash tends to change and upstream simp_le doesn't seem to keep up
with the changes.
2018-01-11 14:19:15 +00:00
Ben Gamari b2cbffae64 nixos/security-wrapper: Fix cross-compilation 2018-01-09 11:25:19 -05:00
gnidorah f15fad898b pam: add optional pam_gnome_keyring integration 2018-01-01 21:58:37 +03:00
Jörg Thalheim 0bbf671b5a
Merge pull request #31157 from sorki/lxcfs_pam_related
[wip] lxcfs,pam: disable cgmanager, enable pam_cgfs, lxcfs 2.0.7 -> 2.0.8
2018-01-01 15:42:03 +01:00
gnidorah b9851a975e Make less known wayland compositors usable (#32285)
* bemenu: init at 2017-02-14

* velox: 2015-11-03 -> 2017-07-04

* orbment, velox: don't expose subprojects

the development of orbment and velox got stuck
their subprojects (bemenu, dmenu-wayland, st-wayland) don't work correctly outside of parent projects
so hide them to not confuse people
swc and wld libraries are unpopular and unlike wlc are not used by anything except velox

* pythonPackages.pydbus: init at 0.6.0

* way-cooler: 0.5.2 -> 0.6.2

* nixos/way-cooler: add module

* dconf module: use for wayland

non-invasive approach for #31293
see discussion at #32210

* sway: embed LD_LIBRARY_PATH for #32755

* way-cooler: switch from buildRustPackage to buildRustCrate #31150
2017-12-21 16:16:19 +00:00
Assassinkin de67f50351 Update sssd integration with pam as documented by RedHat 2017-11-22 18:07:04 +01:00
Gregor Kleen e70d293b6b nixos/acme: Allow for time window between cert issue and activation 2017-11-19 17:25:00 +01:00
Bjørn Forsman 3f36f167e6 nixos/pam: fix docs about path to u2f_keys file
Looking at upstream git repo (git://github.com/Yubico/pam-u2f.git) the
docs initially said the path was ~/.yubico/u2f_keys, but it was later
changed to ~/.config/Yubico/u2f_keys (in 2015).

I have run pam_u2f.so with "debug" option and observed that the correct
path indeed is ~/.config/Yubico/u2f_keys.
2017-11-17 17:50:40 +01:00
Pierre-Etienne Meunier 538acd9060 ACME module: add server option (#31122) 2017-11-02 11:10:47 +01:00
Richard Marko 4e26054ff5 pam, lxcfs: enable pam_cgfs
Related to #30023
2017-11-02 02:52:08 +01:00
Chris Martin 0581038e8e nixos/acme: remove doc note about restarting nginx
Discussion from #30945 indicates that it is no longer true that you have
to restart nginx.
2017-10-30 13:51:35 -04:00
edef ea35bc94bf nixos/ecryptfs: init
Currently, ecryptfs support is coupled to `security.pam.enableEcryptfs`, but one
might want to use ecryptfs without enabling the PAM functionality. This commit
splits it out into a `boot.supportedFilesystems` switch.
2017-10-20 17:42:04 +01:00
gnidorah 7867b50881 nixos/pam: add swaylock (#29919) 2017-10-20 16:30:28 +00:00
Tristan Helmich c6761f8578 security.pam.usb: link to wiki on github.com
pamusb.org no longer serves the intended content.
2017-09-28 16:00:28 +02:00
Joachim Fasting 1df6cf5d1d
nixos/lock-kernel-modules: fix deferred fileSystem mounts
Ensure that modules required by all declared fileSystems are explicitly
loaded.  A little ugly but fixes the deferred mount test.

See also https://github.com/NixOS/nixpkgs/issues/29019
2017-09-22 23:55:04 +02:00
Joachim Fasting 15a4f9d8ef
nixos/hardened: simplify script 2017-09-22 23:53:06 +02:00
Michael Weiss 351f5fc585 fuse3: init at 3.1.1
This includes fuse-common (fusePackages.fuse_3.common) as recommended by
upstream. But while fuse(2) and fuse3 would normally depend on
fuse-common we can't do that in nixpkgs while fuse-common is just
another output from the fuse3 multiple-output derivation (i.e. this
would result in a circular dependency). To avoid building fuse3 twice I
decided it would be best to copy the shared files (i.e. the ones
provided by fuse(2) and fuse3) from fuse-common to fuse (version 2) and
avoid collision warnings by defining priorities. Now it should be
possible to install an arbitrary combination of "fuse", "fuse3", and
"fuse-common" without getting any collision warnings. The end result
should be the same and all changes should be backwards compatible
(assuming that mount.fuse from fuse3 is backwards compatible as stated
by upstream [0] - if not this might break some /etc/fstab definitions
but that should be very unlikely).

My tests with sshfs (version 2 and 3) didn't show any problems.

See #28409 for some additional information.

[0]: https://github.com/libfuse/libfuse/releases/tag/fuse-3.0.0
2017-09-21 23:59:46 +02:00
Joachim Fasting bb036a327c
nixos/chromium-suid-sandbox: remove reference to grsecurity 2017-09-02 20:35:28 +02:00
Joachim Fasting 268eb4adb7
nixos: purge remaining grsecurity bits
:(

Fixes https://github.com/NixOS/nixpkgs/issues/28859
2017-09-02 20:35:24 +02:00
Benjamin Staffin 2e65e2df94 nixos: Fix pam_kwallet5 integration
Fixes #28469
2017-08-22 11:52:14 -04:00
Christian Albrecht 93965870a8 nixos/auditd: break ordering cycle (#27577)
auditd creates an ordering cycle by adding wantedBy = [ "basic.target" ],
because of this the job job systemd-update-utmp.service/start is deleted.

Adding unitConfig.DefaultDependencies = false; to the auditd service unbreaks the cycle.

See also #11864
2017-08-01 20:45:01 +01:00
Christian Albrecht ebaff599ba nixos/auditd: init at 2.7.6 (#27261)
#11864 Support Linux audit subsystem
Add the auditd.service as NixOS module to be able to
generate profiles from /var/log/audit/audit.log
with apparmor-utils.

auditd needs the folder /var/log/audit to be present on start
so this is generated in ExecPreStart.

auditd starts with -s nochange so that effective audit processing
is managed by the audit.service.
2017-07-09 17:59:09 +01:00
Jörg Thalheim 343ad1697d Merge pull request #26897 from layus/nixos-terminfo
terminfo: symlink terminfo to /etc for ncurses
2017-07-01 09:27:24 +01:00
Guillaume Maudoux bd562949cf terminfo: symlink terminfo to /etc for ncurses 2017-06-30 11:17:11 +02:00
tv ea44ca47f3 security-wrapper: run activation script after specialfs
Ensures that parentWrapperDir exists before it is used.

Closes #26851
2017-06-26 09:26:16 +02:00
Parnell Springmeyer 5ca644c228
Fixing attribute name mistake: setguid => setgid 2017-06-15 19:25:43 -07:00
Bjørn Forsman 6a55fda61e nixos/acme: improve documentation
* Use literalExample for better readability
* Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
2017-06-09 19:35:17 +02:00
Bjørn Forsman 7a0e958b97 nixos/acme: support "full.pem" (for lighttpd)
* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates

Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
2017-06-09 19:35:17 +02:00
lassulus fd7a8f1b91 nixos/security/acme: fix acme folder permissions 2017-05-11 18:49:26 +02:00