diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2022-11-02 00:02:32 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-02 00:02:32 +0000 |
commit | 075f0857ddfb55b705eaa2e5c64b368e5fd22aac (patch) | |
tree | 4caffff6dd7f63ae744f4210612d632e7d1a781d /nixos | |
parent | 62bf5bbe29a7d1040209da378deb4a136f0db349 (diff) | |
parent | 5571bd18dc03138b6b6264dba88bb4af9e529771 (diff) |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2211.section.xml | 7 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2211.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 12 | ||||
-rw-r--r-- | nixos/modules/services/networking/syncthing.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/security/endlessh.nix | 99 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/invoiceplane.nix | 4 | ||||
-rw-r--r-- | nixos/modules/virtualisation/vmware-guest.nix | 3 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/endlessh.nix | 43 | ||||
-rw-r--r-- | nixos/tests/invoiceplane.nix | 4 |
11 files changed, 167 insertions, 13 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 5de7e79bb080e..e9f4f707f52fd 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -316,6 +316,13 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/skeeto/endlessh">endlessh</link>, + an SSH tarpit. Available as + <link linkend="opt-services.endlessh.enable">services.endlessh</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/shizunge/endlessh-go">endlessh-go</link>, an SSH tarpit that exposes Prometheus metrics. Available as <link linkend="opt-services.endlessh-go.enable">services.endlessh-go</link>. diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 541deabc2057d..9b5257ca8e1e5 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -109,6 +109,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable). +- [endlessh](https://github.com/skeeto/endlessh), an SSH tarpit. Available as [services.endlessh](#opt-services.endlessh.enable). + - [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable). - [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index ba9f67f87fd62..1e9298a6571d8 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1012,6 +1012,7 @@ ./services/security/certmgr.nix ./services/security/cfssl.nix ./services/security/clamav.nix + ./services/security/endlessh.nix ./services/security/endlessh-go.nix ./services/security/fail2ban.nix ./services/security/fprintd.nix diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index c74f66d918295..dc145d8585154 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -615,12 +615,12 @@ let optionalString cfg.setLoginUid '' session ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so '' + - optionalString cfg.ttyAudit.enable '' - session required ${pkgs.pam}/lib/security/pam_tty_audit.so - open_only=${toString cfg.ttyAudit.openOnly} - ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"} - ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"} - '' + + optionalString cfg.ttyAudit.enable (concatStringsSep " \\\n " ([ + "session required ${pkgs.pam}/lib/security/pam_tty_audit.so" + ] ++ optional cfg.ttyAudit.openOnly "open_only" + ++ optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}" + ++ optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}" + )) + optionalString cfg.makeHomeDir '' session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077 '' + diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index 0876007a6e732..ea87e5695f87a 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -55,8 +55,8 @@ let # generate the new config by merging with the NixOS config options new_cfg=$(printf '%s\n' "$old_cfg" | ${pkgs.jq}/bin/jq -c '. * { - "devices": (${builtins.toJSON devices}${optionalString (! cfg.overrideDevices) " + .devices"}), - "folders": (${builtins.toJSON folders}${optionalString (! cfg.overrideFolders) " + .folders"}) + "devices": (${builtins.toJSON devices}${optionalString (cfg.devices == {} || ! cfg.overrideDevices) " + .devices"}), + "folders": (${builtins.toJSON folders}${optionalString (cfg.folders == {} || ! cfg.overrideFolders) " + .folders"}) } * ${builtins.toJSON cfg.extraOptions}') # send the new config diff --git a/nixos/modules/services/security/endlessh.nix b/nixos/modules/services/security/endlessh.nix new file mode 100644 index 0000000000000..e99b4dadcd581 --- /dev/null +++ b/nixos/modules/services/security/endlessh.nix @@ -0,0 +1,99 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.endlessh; +in +{ + options.services.endlessh = { + enable = mkEnableOption (mdDoc "endlessh service"); + + port = mkOption { + type = types.port; + default = 2222; + example = 22; + description = mdDoc '' + Specifies on which port the endlessh daemon listens for SSH + connections. + + Setting this to `22` may conflict with {option}`services.openssh`. + ''; + }; + + extraOptions = mkOption { + type = with types; listOf str; + default = [ ]; + example = [ "-6" "-d 9000" "-v" ]; + description = mdDoc '' + Additional command line options to pass to the endlessh daemon. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to open a firewall port for the SSH listener. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.endlessh = { + description = "SSH tarpit"; + requires = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = + let + needsPrivileges = cfg.port < 1024; + capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; + rootDirectory = "/run/endlessh"; + in + { + Restart = "always"; + ExecStart = with cfg; concatStringsSep " " ([ + "${pkgs.endlessh}/bin/endlessh" + "-p ${toString port}" + ] ++ extraOptions); + DynamicUser = true; + RootDirectory = rootDirectory; + BindReadOnlyPaths = [ builtins.storeDir ]; + InaccessiblePaths = [ "-+${rootDirectory}" ]; + RuntimeDirectory = baseNameOf rootDirectory; + RuntimeDirectoryMode = "700"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + UMask = "0077"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = !needsPrivileges; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; + }; + }; + + networking.firewall.allowedTCPPorts = with cfg; + optionals openFirewall [ port ]; + }; + + meta.maintainers = with maintainers; [ azahi ]; +} diff --git a/nixos/modules/services/web-apps/invoiceplane.nix b/nixos/modules/services/web-apps/invoiceplane.nix index 156cc238e89af..c54915b10a2db 100644 --- a/nixos/modules/services/web-apps/invoiceplane.nix +++ b/nixos/modules/services/web-apps/invoiceplane.nix @@ -36,10 +36,10 @@ let version = src.version; src = pkgs.invoiceplane; - patchPhase = '' + postPhase = '' # Patch index.php file to load additional config file substituteInPlace index.php \ - --replace "require('vendor/autoload.php');" "require('vendor/autoload.php'); \$dotenv = new \Dotenv\Dotenv(__DIR__, 'extraConfig.php'); \$dotenv->load();"; + --replace "require('vendor/autoload.php');" "require('vendor/autoload.php'); \$dotenv = Dotenv\Dotenv::createImmutable(__DIR__, 'extraConfig.php'); \$dotenv->load();"; ''; installPhase = '' diff --git a/nixos/modules/virtualisation/vmware-guest.nix b/nixos/modules/virtualisation/vmware-guest.nix index 3b4d484fc8b9f..b8f0a4cf668ef 100644 --- a/nixos/modules/virtualisation/vmware-guest.nix +++ b/nixos/modules/virtualisation/vmware-guest.nix @@ -16,7 +16,8 @@ in enable = mkEnableOption (lib.mdDoc "VMWare Guest Support"); headless = mkOption { type = types.bool; - default = false; + default = !config.services.xserver.enable; + defaultText = "!config.services.xserver.enable"; description = lib.mdDoc "Whether to disable X11-related features."; }; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 06ee955668f29..a3253339c035e 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -183,6 +183,7 @@ in { ejabberd = handleTest ./xmpp/ejabberd.nix {}; elk = handleTestOn ["x86_64-linux"] ./elk.nix {}; emacs-daemon = handleTest ./emacs-daemon.nix {}; + endlessh = handleTest ./endlessh.nix {}; endlessh-go = handleTest ./endlessh-go.nix {}; engelsystem = handleTest ./engelsystem.nix {}; enlightenment = handleTest ./enlightenment.nix {}; diff --git a/nixos/tests/endlessh.nix b/nixos/tests/endlessh.nix new file mode 100644 index 0000000000000..be742a749fdd8 --- /dev/null +++ b/nixos/tests/endlessh.nix @@ -0,0 +1,43 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: +{ + name = "endlessh"; + meta.maintainers = with lib.maintainers; [ azahi ]; + + nodes = { + server = { ... }: { + services.endlessh = { + enable = true; + openFirewall = true; + }; + + specialisation = { + unprivileged.configuration.services.endlessh.port = 2222; + + privileged.configuration.services.endlessh.port = 22; + }; + }; + + client = { pkgs, ... }: { + environment.systemPackages = with pkgs; [ curl netcat ]; + }; + }; + + testScript = '' + def activate_specialisation(name: str): + server.succeed(f"/run/booted-system/specialisation/{name}/bin/switch-to-configuration test >&2") + + start_all() + + with subtest("Unprivileged"): + activate_specialisation("unprivileged") + server.wait_for_unit("endlessh.service") + server.wait_for_open_port(2222) + client.succeed("nc -dvW5 server 2222") + + with subtest("Privileged"): + activate_specialisation("privileged") + server.wait_for_unit("endlessh.service") + server.wait_for_open_port(22) + client.succeed("nc -dvW5 server 22") + ''; +}) diff --git a/nixos/tests/invoiceplane.nix b/nixos/tests/invoiceplane.nix index 4e63f8ac21c95..260e49db54d33 100644 --- a/nixos/tests/invoiceplane.nix +++ b/nixos/tests/invoiceplane.nix @@ -13,12 +13,12 @@ import ./make-test-python.nix ({ pkgs, ... }: services.invoiceplane.webserver = "caddy"; services.invoiceplane.sites = { "site1.local" = { - #database.name = "invoiceplane1"; + database.name = "invoiceplane1"; database.createLocally = true; enable = true; }; "site2.local" = { - #database.name = "invoiceplane2"; + database.name = "invoiceplane2"; database.createLocally = true; enable = true; }; |