diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-04-26 18:00:58 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-04-26 18:00:58 +0000 |
commit | 037c0663b9d1eaf1fbeffede5b8e9acd99569b9c (patch) | |
tree | 7a67bcdaf4170deb7b51c5b148bfb65f4440d732 /nixos | |
parent | 7ac1647abc383ad3d6c59cfb57519294d5809143 (diff) | |
parent | 1d67e14da5e03eba8c84ba963d0dd7fa50024b54 (diff) |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/malloc.nix | 19 | ||||
-rw-r--r-- | nixos/modules/programs/wshowkeys.nix | 34 | ||||
-rw-r--r-- | nixos/modules/services/security/oauth2_proxy_nginx.nix | 52 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 |
4 files changed, 83 insertions, 23 deletions
diff --git a/nixos/modules/config/malloc.nix b/nixos/modules/config/malloc.nix index 4214ae5983156..e414970b0be5a 100644 --- a/nixos/modules/config/malloc.nix +++ b/nixos/modules/config/malloc.nix @@ -9,8 +9,23 @@ let graphene-hardened = { libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so"; description = '' - An allocator designed to mitigate memory corruption attacks, such as - those caused by use-after-free bugs. + Hardened memory allocator coming from GrapheneOS project. + The default configuration template has all normal optional security + features enabled and is quite aggressive in terms of sacrificing + performance and memory usage for security. + ''; + }; + + graphene-hardened-light = { + libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc-light.so"; + description = '' + Hardened memory allocator coming from GrapheneOS project. + The light configuration template disables the slab quarantines, + write after free check, slot randomization and raises the guard + slab interval from 1 to 8 but leaves zero-on-free and slab canaries enabled. + The light configuration has solid performance and memory usage while still + being far more secure than mainstream allocators with much better security + properties. ''; }; diff --git a/nixos/modules/programs/wshowkeys.nix b/nixos/modules/programs/wshowkeys.nix index f7b71d2bb0c89..1fef33e047175 100644 --- a/nixos/modules/programs/wshowkeys.nix +++ b/nixos/modules/programs/wshowkeys.nix @@ -1,27 +1,31 @@ -{ config, lib, pkgs, ... }: - -with lib; - +{ + config, + lib, + pkgs, + ... +}: let cfg = config.programs.wshowkeys; -in { - meta.maintainers = with maintainers; [ primeos ]; - +in +{ options = { programs.wshowkeys = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' wshowkeys (displays keypresses on screen on supported Wayland compositors). It requires root permissions to read input events, but these permissions are dropped after startup''; + package = lib.mkPackageOption pkgs "wshowkeys" { }; }; }; - config = mkIf cfg.enable { - security.wrappers.wshowkeys = - { setuid = true; - owner = "root"; - group = "root"; - source = "${pkgs.wshowkeys}/bin/wshowkeys"; - }; + config = lib.mkIf cfg.enable { + security.wrappers.wshowkeys = { + setuid = true; + owner = "root"; + group = "root"; + source = lib.getExe cfg.package; + }; }; + + meta.maintainers = with lib.maintainers; [ primeos ]; } diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix index 87ea61276837c..1b86656c7d4c5 100644 --- a/nixos/modules/services/security/oauth2_proxy_nginx.nix +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -25,10 +25,41 @@ in }; virtualHosts = mkOption { - type = types.listOf types.str; - default = []; + type = let + vhostSubmodule = types.submodule { + options = { + allowed_groups = mkOption { + type = types.nullOr (types.listOf types.str); + description = "List of groups to allow access to this vhost, or null to allow all."; + default = null; + }; + allowed_emails = mkOption { + type = types.nullOr (types.listOf types.str); + description = "List of emails to allow access to this vhost, or null to allow all."; + default = null; + }; + allowed_email_domains = mkOption { + type = types.nullOr (types.listOf types.str); + description = "List of email domains to allow access to this vhost, or null to allow all."; + default = null; + }; + }; + }; + oldType = types.listOf types.str; + convertFunc = x: + lib.warn "services.oauth2_proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}" + lib.genAttrs x (_: {}); + newType = types.attrsOf vhostSubmodule; + in types.coercedTo oldType convertFunc newType; + default = {}; + example = { + "protected.foo.com" = { + allowed_groups = ["admins"]; + allowed_emails = ["boss@foo.com"]; + }; + }; description = '' - A list of nginx virtual hosts to put behind the oauth2 proxy. + Nginx virtual hosts to put behind the oauth2 proxy. You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting. ''; }; @@ -50,11 +81,20 @@ in } ] ++ optional (cfg.virtualHosts != []) { recommendedProxySettings = true; # needed because duplicate headers - } ++ (map (vhost: { + } ++ (lib.mapAttrsToList (vhost: conf: { virtualHosts.${vhost} = { locations = { - "/oauth2/auth" = { - proxyPass = cfg.proxy; + "/oauth2/auth" = let + maybeQueryArg = name: value: + if value == null then null + else "${name}=${lib.concatStringsSep "," value}"; + allArgs = lib.mapAttrsToList maybeQueryArg conf; + cleanArgs = builtins.map lib.escapeURL (builtins.filter (x: x != null) allArgs); + cleanArgsStr = lib.concatStringsSep "&" cleanArgs; + in { + # nginx doesn't support passing query string arguments to auth_request, + # so pass them here instead + proxyPass = "${cfg.proxy}/oauth2/auth?${cleanArgsStr}"; extraConfig = '' auth_request off; proxy_set_header X-Scheme $scheme; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 6430a344ba247..d27e6b8a2b137 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -782,6 +782,7 @@ in { rasdaemon = handleTest ./rasdaemon.nix {}; readarr = handleTest ./readarr.nix {}; redis = handleTest ./redis.nix {}; + redlib = handleTest ./redlib.nix {}; redmine = handleTest ./redmine.nix {}; restartByActivationScript = handleTest ./restart-by-activation-script.nix {}; restic-rest-server = handleTest ./restic-rest-server.nix {}; |