diff options
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/acme/default.nix (renamed from nixos/modules/security/acme.nix) | 2 | ||||
-rw-r--r-- | nixos/modules/security/acme/doc.xml (renamed from nixos/modules/security/acme.xml) | 0 | ||||
-rw-r--r-- | nixos/modules/security/acme/mk-cert-ownership-assertion.nix | 4 | ||||
-rw-r--r-- | nixos/modules/security/google_oslogin.nix | 9 | ||||
-rw-r--r-- | nixos/modules/security/misc.nix | 4 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 18 |
6 files changed, 22 insertions, 15 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme/default.nix index e244989d64086..d827c448055b7 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme/default.nix @@ -916,6 +916,6 @@ in { meta = { maintainers = lib.teams.acme.members; - doc = ./acme.xml; + doc = ./doc.xml; }; } diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme/doc.xml index f623cc509be69..f623cc509be69 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme/doc.xml diff --git a/nixos/modules/security/acme/mk-cert-ownership-assertion.nix b/nixos/modules/security/acme/mk-cert-ownership-assertion.nix new file mode 100644 index 0000000000000..b80d89aeb9fc6 --- /dev/null +++ b/nixos/modules/security/acme/mk-cert-ownership-assertion.nix @@ -0,0 +1,4 @@ +{ cert, group, groups, user }: { + assertion = cert.group == group || builtins.any (u: u == user) groups.${cert.group}.members; + message = "Group for certificate ${cert.domain} must be ${group}, or user ${user} must be a member of group ${cert.group}"; +} diff --git a/nixos/modules/security/google_oslogin.nix b/nixos/modules/security/google_oslogin.nix index c2889a0f0d1d7..cf416035ef60c 100644 --- a/nixos/modules/security/google_oslogin.nix +++ b/nixos/modules/security/google_oslogin.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.security.googleOsLogin; - package = pkgs.google-compute-engine-oslogin; + package = pkgs.google-guest-oslogin; in @@ -17,7 +17,7 @@ in type = types.bool; default = false; description = '' - Whether to enable Google OS Login + Whether to enable Google OS Login. The OS Login package enables the following components: AuthorizedKeysCommand to query valid SSH keys from the user's OS Login @@ -36,7 +36,7 @@ in security.pam.services.sshd = { makeHomeDir = true; googleOsLoginAccountVerification = true; - # disabled for now: googleOsLoginAuthentication = true; + googleOsLoginAuthentication = true; }; security.sudo.extraConfig = '' @@ -47,6 +47,9 @@ in "d /var/google-users.d 750 root root -" ]; + systemd.packages = [ package ]; + systemd.timers.google-oslogin-cache.wantedBy = [ "timers.target" ]; + # enable the nss module, so user lookups etc. work system.nssModules = [ package ]; system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ]; diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index e7abc1e0d597c..c20e067b8cc78 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -123,8 +123,8 @@ with lib; boot.kernel.sysctl."user.max_user_namespaces" = 0; assertions = [ - { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; - message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; + { assertion = config.nix.settings.sandbox -> config.security.allowUserNamespaces; + message = "`nix.settings.sandbox = true` conflicts with `!security.allowUserNamespaces`."; } ]; }) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 0944b36c6d197..9f295db84fd64 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -444,15 +444,15 @@ let account sufficient ${pam_krb5}/lib/security/pam_krb5.so '' + optionalString cfg.googleOsLoginAccountVerification '' - account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so - account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so + account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so + account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so '' + '' # Authentication management. '' + optionalString cfg.googleOsLoginAuthentication '' - auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so + auth [success=done perm_denied=die default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so '' + optionalString cfg.rootOK '' auth sufficient pam_rootok.so @@ -1035,7 +1035,7 @@ in setuid = true; owner = "root"; group = "root"; - source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; + source = "${pkgs.pam}/bin/unix_chkpwd"; }; }; @@ -1072,8 +1072,8 @@ in security.apparmor.includes."abstractions/pam" = let isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); in - lib.concatMapStringsSep "\n" - (name: "r ${config.environment.etc."pam.d/${name}".source},") + lib.concatMapStrings + (name: "r ${config.environment.etc."pam.d/${name}".source},\n") (attrNames config.security.pam.services) + '' mr ${getLib pkgs.pam}/lib/security/pam_filter/*, @@ -1091,11 +1091,11 @@ in mr ${pam_ccreds}/lib/security/pam_ccreds.so, '' + optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, + mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so, + mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so, '' + optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) '' - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, + mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so, '' + optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth)) '' |