summary refs log tree commit diff
path: root/nixos/modules/security
AgeCommit message (Collapse)AuthorFilesLines
2023-05-20nixos/pam_mount: fix cryptmount options (#232873)Jenny1-1/+13
There was a bug in the pam_mount module that crypt mount options were not passed to the mount.crypt command. This is now fixed and additionally, a cryptMountOptions NixOS option is added to define mount options that should apply to all crypt mounts. Fixes #230920
2023-05-15Merge pull request #231316 from hercules-ci/nixos-system.checksRobert Hensing1-1/+1
NixOS: add `system.checks`
2023-05-15Merge pull request #231954 from mac-chaffee/acme-ipv6Nick Cao1-1/+1
nixos/security/acme: Fix listenHTTP bug with IPv6 addresses
2023-05-15nixos/pam: fix ZFS support assertionRaito Bezarius1-1/+1
It was always complaining even if you didn't enable PAM ZFS.
2023-05-15nixos/pam: assert ZFS support for PAM moduleNicola Squartini1-0/+6
2023-05-15nixos/pam: improve documentation of ZFS moduleNicola Squartini1-3/+3
2023-05-15nixos/pam: enable unlocking ZFS home datasetNicola Squartini1-2/+53
2023-05-14security/acme: Fix listenHTTP bug with IPv6 addressesMac Chaffee1-1/+1
2023-05-11nixos: Use checks instead of extraDependenciesRobert Hensing1-1/+1
... as appropriate. This drops a few unnecessary store paths from the system closure.
2023-05-10Merge pull request #230857 from s1341/bugfix_pam_sssdRyan Lahfa1-1/+1
nixos/pam: Allow password changing via sssd
2023-05-09nixos/tpm2: fix typofetsorn1-1/+1
"acess" -> "access"
2023-05-09nixos/apparmor: fix typofetsorn1-1/+1
"usualy" -> "usually"
2023-05-09pam: remove unused try_first_passs13411-1/+1
2023-05-09nixos/pam: allow changing password using sssds13411-1/+1
2023-04-24Merge pull request #227232 from datafoo/nixos-acme-fix-options-typeNick Cao1-2/+2
nixos/acme: fix options type
2023-04-20Merge pull request #222080 from Stunkymonkey/nixos-optionalStringArtturi1-2/+2
2023-04-20nixos/acme: fix options typedatafoo1-2/+2
null is a possible default so the type must reflect that.
2023-04-07treewide: use more lib.optionalStringFelix Buehler1-2/+2
2023-03-30Merge pull request #207115 from s1341/init_freeipaBenjamin Staffin1-0/+258
freeipa: init at 4.10.1
2023-03-17Merge master into staging-nextgithub-actions[bot]1-5/+9
2023-03-17doas: refactor config generationSavyasachee Jha1-5/+9
According to Ted Unangst, since doas evaluates rules in a last matched manner, it is prudent to have the "permit root to do everything without a password at the end of the file. Source: https://flak.tedunangst.com/post/doas-mastery
2023-03-16Merge master into staging-nextgithub-actions[bot]2-5/+5
2023-03-16nixos/freeipa: inits13411-0/+258
2023-03-13treewide: Make yescrypt the default algorithm for pam_unix.soMartin Weinelt1-1/+1
This ensures `passwd` will default to yescrypt for newly generated passwords.
2023-03-06treewide: deprecate isNullFelix Buehler2-5/+5
https://nixos.org/manual/nix/stable/language/builtins.html#builtins-isNull
2023-02-25Revert "nixos/polkit: guard static gid for polkituser behind state version"Winter1-3/+1
This reverts commit 2265160fc0b4cc9a38b392ec3b3a3fe18c2e5413 and e56db577a1f69c02e80d8bc26d514c01a2c5cc61. Ideally, we shouldn't cause friction for users that bump `stateVersion`, and I'd consider having to switch and/or manually hardcode a UID/GID to supress the warning friction. I think it'd be more beneficial to, in this rare case of an ID being missed, just let it be until more discussion happens surrounding this overall issue. See https://github.com/NixOS/nixpkgs/pull/217785 for more context.
2023-02-23nixos/polkit: guard static gid for polkituser behind state versionNick Cao1-1/+3
2023-02-22nixos/polkit: set static gid for polkituser1sixth1-1/+1
polkituser needs a group since https://github.com/NixOS/nixpkgs/pull/130522.
2023-02-08nixos/*: remove trailing period in mkEnableOptionspennae1-1/+1
those are added by mkEnableOption, and .. is replaced to … by markdown processing.
2023-01-27nixos/manual: render module chapters with nixos-render-docspennae2-396/+1
this converts meta.doc into an md pointer, not an xml pointer. since we no longer need xml for manual chapters we can also remove support for manual chapters from md-to-db.sh since pandoc converts smart quotes to docbook quote elements and our nixos-render-docs does not we lose this distinction in the rendered output. that's probably not that bad, our stylesheet didn't make use of this anyway (and pre-23.05 versions of the chapters didn't use quote elements either). also updates the nixpkgs manual to clarify that option docs support all extensions (although it doesn't support headings at all, so heading anchors don't work by extension).
2023-01-22Merge pull request #211830 from sorpaas/patch-11Nick Cao1-1/+0
nixos/systemd-confinement: remove unused rootName
2023-01-21nixos: fix backticks in Markdown descriptionsNaïm Favier2-2/+2
2023-01-20nixos/systemd-confinement: remove unused rootNameWei Tang1-1/+0
2023-01-13Merge master into staging-nextgithub-actions[bot]4-415/+750
2023-01-10nixos/manual: move "edit the MD file" comments to generated XMLpennae2-1/+2
2023-01-10nixos/manual: generate module chapters with md-to-db.shpennae3-15/+14
2023-01-10nixos/manual: enable smart quotes for all MD chapterspennae2-15/+14
2023-01-10nixos/acme: convert manual chapter to MDpennae3-254/+591
2023-01-10nixos/manual: normalize <literal><link> -> <link><literal>pennae1-6/+6
MD can only do the latter, so change them all over now to keeps diffs reviewable. this also includes <literal><xref> -> <xref> where options are referenced since the reference will implicitly add an inner literal tag.
2023-01-10nixos/manual: remove links from program listingspennae1-57/+56
markdown cannot represent those links. remove them all now instead of in each chapter conversion to keep the diff for each chapter small and more understandable.
2022-12-23Merge pull request #205121 from alaviss/homedFlorian Klink1-3/+24
nixos: systemd-homed support
2022-12-17nixos: fix typosfigsoda5-7/+7
2022-12-15nixos/pam: allow backing the motd with a fileMarkus Napierkowski1-2/+18
2022-12-09nixos: add systemd-homed supportLeorize1-3/+24
As a start, it's not very configurable, but works pretty well.
2022-11-14Merge pull request #199587 from lorenz/fscryptFranz Pletz1-0/+30
nixos/pam: support fscrypt login protectors
2022-11-11nixos/pam: support fscrypt login protectorsLorenz Brun1-0/+30
fscrypt can automatically unlock directories with the user's login password. To do this it ships a PAM module which reads the user's password and loads the respective keys into the user's kernel keyring. Significant inspiration was taken from the ecryptfs implementation.
2022-11-07Merge pull request #186628 from ocfox/pam_faildelayBobby Rong1-0/+22
nixos/pam: add option failDelay
2022-11-07nixos/pam: add option failDelayocfox1-0/+22
Co-authored-by: Bobby Rong <rjl931189261@126.com>
2022-11-01Merge pull request #174951 from dpausp/fix-pam-tty-auditNaïm Favier1-6/+6
2022-10-28treewide: convert fake octal ints to stringsYorick van Pelt1-4/+4
These were being cast to strings later and then reinterpreted as octal.
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-01 06:54:46 +0000