Merge master into staging-next

4 files changed, 83 insertions, 23 deletions

diff --git a/nixos/modules/config/malloc.nix b/nixos/modules/config/malloc.nix
index 4214ae5983156..e414970b0be5a 100644
--- a/nixos/modules/config/malloc.nix
+++ b/nixos/modules/config/malloc.nix
@@ -9,8 +9,23 @@ let
     graphene-hardened = {
       libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so";
       description = ''
-        An allocator designed to mitigate memory corruption attacks, such as
-        those caused by use-after-free bugs.
+        Hardened memory allocator coming from GrapheneOS project.
+        The default configuration template has all normal optional security
+        features enabled and is quite aggressive in terms of sacrificing
+        performance and memory usage for security.
+      '';
+    };
+
+    graphene-hardened-light = {
+      libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc-light.so";
+      description = ''
+        Hardened memory allocator coming from GrapheneOS project.
+        The light configuration template disables the slab quarantines,
+        write after free check, slot randomization and raises the guard
+        slab interval from 1 to 8 but leaves zero-on-free and slab canaries enabled.
+        The light configuration has solid performance and memory usage while still
+        being far more secure than mainstream allocators with much better security
+        properties.
       '';
     };
 
diff --git a/nixos/modules/programs/wshowkeys.nix b/nixos/modules/programs/wshowkeys.nix
index f7b71d2bb0c89..1fef33e047175 100644
--- a/nixos/modules/programs/wshowkeys.nix
+++ b/nixos/modules/programs/wshowkeys.nix
@@ -1,27 +1,31 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
   cfg = config.programs.wshowkeys;
-in {
-  meta.maintainers = with maintainers; [ primeos ];
-
+in
+{
   options = {
     programs.wshowkeys = {
-      enable = mkEnableOption ''
+      enable = lib.mkEnableOption ''
         wshowkeys (displays keypresses on screen on supported Wayland
         compositors). It requires root permissions to read input events, but
         these permissions are dropped after startup'';
+      package = lib.mkPackageOption pkgs "wshowkeys" { };
     };
   };
 
-  config = mkIf cfg.enable {
-    security.wrappers.wshowkeys =
-      { setuid = true;
-        owner = "root";
-        group = "root";
-        source = "${pkgs.wshowkeys}/bin/wshowkeys";
-      };
+  config = lib.mkIf cfg.enable {
+    security.wrappers.wshowkeys = {
+      setuid = true;
+      owner = "root";
+      group = "root";
+      source = lib.getExe cfg.package;
+    };
   };
+
+  meta.maintainers = with lib.maintainers; [ primeos ];
 }
diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix
index 87ea61276837c..1b86656c7d4c5 100644
--- a/nixos/modules/services/security/oauth2_proxy_nginx.nix
+++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix
@@ -25,10 +25,41 @@ in
     };
 
     virtualHosts = mkOption {
-      type = types.listOf types.str;
-      default = [];
+      type = let
+        vhostSubmodule = types.submodule {
+          options = {
+            allowed_groups = mkOption {
+              type = types.nullOr (types.listOf types.str);
+              description = "List of groups to allow access to this vhost, or null to allow all.";
+              default = null;
+            };
+            allowed_emails = mkOption {
+              type = types.nullOr (types.listOf types.str);
+              description = "List of emails to allow access to this vhost, or null to allow all.";
+              default = null;
+            };
+            allowed_email_domains = mkOption {
+              type = types.nullOr (types.listOf types.str);
+              description = "List of email domains to allow access to this vhost, or null to allow all.";
+              default = null;
+            };
+          };
+        };
+        oldType = types.listOf types.str;
+        convertFunc = x:
+          lib.warn "services.oauth2_proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}"
+          lib.genAttrs x (_: {});
+        newType = types.attrsOf vhostSubmodule;
+      in types.coercedTo oldType convertFunc newType;
+      default = {};
+      example = {
+        "protected.foo.com" = {
+          allowed_groups = ["admins"];
+          allowed_emails = ["boss@foo.com"];
+        };
+      };
       description = ''
-        A list of nginx virtual hosts to put behind the oauth2 proxy.
+        Nginx virtual hosts to put behind the oauth2 proxy.
         You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting.
       '';
     };
@@ -50,11 +81,20 @@ in
     }
   ] ++ optional (cfg.virtualHosts != []) {
     recommendedProxySettings = true; # needed because duplicate headers
-  } ++ (map (vhost: {
+  } ++ (lib.mapAttrsToList (vhost: conf: {
     virtualHosts.${vhost} = {
       locations = {
-        "/oauth2/auth" = {
-          proxyPass = cfg.proxy;
+        "/oauth2/auth" = let
+          maybeQueryArg = name: value:
+            if value == null then null
+            else "${name}=${lib.concatStringsSep "," value}";
+          allArgs = lib.mapAttrsToList maybeQueryArg conf;
+          cleanArgs = builtins.map lib.escapeURL (builtins.filter (x: x != null) allArgs);
+          cleanArgsStr = lib.concatStringsSep "&" cleanArgs;
+        in {
+          # nginx doesn't support passing query string arguments to auth_request,
+          # so pass them here instead
+          proxyPass = "${cfg.proxy}/oauth2/auth?${cleanArgsStr}";
           extraConfig = ''
             auth_request off;
             proxy_set_header X-Scheme         $scheme;
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 6430a344ba247..d27e6b8a2b137 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -782,6 +782,7 @@ in {
   rasdaemon = handleTest ./rasdaemon.nix {};
   readarr = handleTest ./readarr.nix {};
   redis = handleTest ./redis.nix {};
+  redlib = handleTest ./redlib.nix {};
   redmine = handleTest ./redmine.nix {};
   restartByActivationScript = handleTest ./restart-by-activation-script.nix {};
   restic-rest-server = handleTest ./restic-rest-server.nix {};