| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
nixos/polkit: Add package option
|
|
treewide: fix mkEnableOption usage
|
|
Overlaying polkit results in a lot of rebuilds thus it makes sense to
add a package option.
Assists in using the patch needed to fix https://www.github.com/NixOS/nixpkgs/issues/18012
|
|
debug_level 65510 (0x3f7f0) is _extremely_ verbose, far more than one
would want in normal operation. Setting these in the default config
also makes it difficult to override in a user config. Anyone who needs
greater verbosity can add these options to their own sssd config, or
adjust them at runtime with `sssctl debug-level`.
|
|
Some sites put hosts in domains outside of the IPA server's default
domain, so this needs to be user-configurable. The default is to use
the system's FQDN if it is configured, otherwise fallback to the
previous default behaviour of assuming the IPA's server's domain.
|
|
nixos/kerberos_server: use krb format generator, plus misc cleanup
|
|
|
|
- Introduce more possible options by using the krb format generator.
- Enforce package choice is using a correct package.
- Use meta attribute to decide implementation, allows for overriding the
package.
- Make necessary changes to the format, to allow for multiple ACL files in
heimdal.
- Add systemd target and slice for both implementations.
- Move state to `/var/lib`
- Add documentation
|
|
accounts directory
The accounts directory is based on the hash of the settings.
https://github.com/NixOS/nixpkgs/pull/270221 changed the default of
security.acme.defaults.server from null to the default letsencrypt URL
however as an unwanted side effect this means the accounts directory
changes and the ACME module will create a new a new account.
This can cause issues with people using CAA records that pin the
account ID or people who have datacenter-scale NixOS deployments
We allow setting this option to null again for people who want
to keep the old account and migrate at their own leisure.
Fixes https://github.com/NixOS/nixpkgs/issues/316608
Co-authored-by: Arian van Putten <arian.vanputten@gmail.com>
|
|
One of the module that already supports the systemd-confinement module
is public-inbox. However with the changes to support DynamicUser and
ProtectSystem, the module will now fail at runtime if confinement is
enabled (it's optional and you'll need to override it via another
module).
The reason is that the RootDirectory is set to /var/empty in the
public-inbox module, which doesn't work well with the InaccessiblePaths
directive we now use to support DynamicUser/ProtectSystem.
To make this issue more visible, I decided to just change the priority
of the RootDirectory option definiton the default override priority so
that whenever another different option is defined, we'll get a conflict
at evaluation time.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
Our more thorough parametrised tests uncovered that with the changes for
supporting DynamicUser, we now have the situation that for static users
the root directory within the confined environment is now writable for
the user in question.
This is obviously not what we want and I'd consider that a regression.
However while discussing this with @ju1m and my suggestion being to
set TemporaryFileSystem to "/" (as we had previously), they had an even
better idea[1]:
> The goal is to deny write access to / to non-root users,
>
> * TemporaryFileSystem=/ gives us that through the ownership of / by
> root (instead of the service's user inherited from
> RuntimeDirectory=).
> * ProtectSystem=strict gives us that by mounting / read-only (while
> keeping its ownership to the service's user).
>
> To avoid the incompatibilities of TemporaryFileSystem=/ mentioned
> above, I suggest to mount / read-only in all cases with
> ReadOnlyPaths = [ "+/" ]:
>
> ...
>
> I guess this would require at least two changes to the current tests:
>
> 1. to no longer expect root to be able to write to some paths (like
> /bin) (at least not without first remounting / in read-write
> mode).
> 2. to no longer expect non-root users to fail to write to certain
> paths with a "permission denied" error code, but with a
> "read-only file system" error code.
I like the solution with ReadOnlyPaths even more because it further
reduces the attack surface if the user is root. In chroot-only mode this
is especially useful, since if there are no other bind-mounted paths
involved in the unit configuration, the whole file system within the
confined environment is read-only.
[1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215
Signed-off-by: aszlig <aszlig@nix.build>
|
|
See https://discourse.nixos.org/t/hardening-systemd-services/17147/14
|
|
nixos/pam: Use secure default for `sshAgentAuth.authorizedKeysFiles`
|
|
|
|
As recommended by ShellCheck
<https://github.com/koalaman/shellcheck/wiki/SC2174>.
|
|
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
|
|
|
|
Co-authored-by: Aleksana <alexander.huang.y@gmail.com>
|
|
The enum of allowed command options (NOPASSWD, NOEXEC etc) had not been updated when bumping sudo version.
MAIL/NOMAIL were added in [1.8.13](https://www.sudo.ws/releases/legacy/#1.8.13), FOLLOW/NOFOLLOW were added in [1.8.15](https://www.sudo.ws/releases/legacy/#1.8.15) and INTERCEPT/NOINTERCEPT in [1.9.8](https://www.sudo.ws/releases/stable/#1.9.8)
|
|
This allows for correct highlighting and maybe future automatic
formatting. The AST was verified to work with nixfmt only.
|
|
|
|
zfs: rename zfsStable -> zfs_2_2; zfsUnstable -> zfs_unstable; remove enableUnstable option in favor of package
|
|
|
|
`zfs.enableUnstable` only has an effect if `zfs.enabled = true`, so only
require `zfs.enabled` to be true here.
|
|
nixos/security/ca: enable support for compatibility bundles
|
|
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use
our NixOS CA bundle.
For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional
trust rules.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
|
|
`security.pam.usb` is broken anyway and upstream has abandoned the software.
|
|
lets encrypt staging URI (#270221)
|
|
|
|
nixos/modules/security/wrappers: limit argv0 to 512 bytes
|
|
This mitigates CVE-2023-6246, crucially without a mass-rebuild.
Change-Id: I762a0d489ade88dafd3775d54a09f555dc8c2527
|
|
pam_cgfs is a cgroups-v1 pam module. Verified with upstream that
this module no longer necessary on cgroups-v2 systems.
|
|
|
|
|
|
Closes #31611
|
|
nixos/krb5: cleanup, fix and RFC42-ify
|
|
|
|
nixos/pam: Add option for ssh-agent auth's trusted authorized_keys files
|
|
nixos/pam: Add assertion for SSH-agent auth
|
|
|
|
|
|
|
|
|
|
Would otherwise fail with
```
error: A definition for option `systemd.services.auditd.conflicts."[definition 1-entry 1]"' is not of type `string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)'. Definition values:
- In `/nix/store/x2khl2yx0vz2i357x7mz5xm1kagql8ag-source/nixos/modules/security/auditd.nix': "shutdown.target "
```
|
|
`pam_ssh_agent_auth`
|
|
|
|
Replaced with a dedicated systemd service.
|
|
treewide: depend on `shutdown.target` if `DefaultDependencies=no` in almost every case
|
|
easily identify it
Also fix the comment with test instructions
|
|
Leftover from bcc2d1238a1c97347518812f224921d29aa3b3f8
|
