about summary refs log tree commit diff
path: root/nixos/modules/security
AgeCommit message (Collapse)AuthorFilesLines
2024-04-28Merge pull request #277626 from nbraud/nixos/pam/ssh-agent-auth-31611-fixThomas Gerbet1-3/+1
nixos/pam: Use secure default for `sshAgentAuth.authorizedKeysFiles`
2024-04-22nixos/isolate: init moduleVir Chaudhury1-0/+133
2024-04-22nixos/duosec: Split `mkdir` mode into `chmod` command for clarityVictor Engmark1-2/+4
As recommended by ShellCheck <https://github.com/koalaman/shellcheck/wiki/SC2174>.
2024-04-13nixos: remove all uses of lib.mdDocstuebinm26-299/+295
these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned.
2024-04-09nixos: improve many 'enable' descriptionsBjørn Forsman2-3/+3
2024-04-03More specific link to tag specNoah S-C1-1/+1
Co-authored-by: Aleksana <alexander.huang.y@gmail.com>
2024-04-02nixos/sudo: update command options enum for newer sudo versionNoah Santschi-Cooney1-2/+2
The enum of allowed command options (NOPASSWD, NOEXEC etc) had not been updated when bumping sudo version. MAIL/NOMAIL were added in [1.8.13](https://www.sudo.ws/releases/legacy/#1.8.13), FOLLOW/NOFOLLOW were added in [1.8.15](https://www.sudo.ws/releases/legacy/#1.8.15) and INTERCEPT/NOINTERCEPT in [1.9.8](https://www.sudo.ws/releases/stable/#1.9.8)
2024-03-28treewide: Fix all Nix ASTs in all markdown filesJanne Heß1-176/+190
This allows for correct highlighting and maybe future automatic formatting. The AST was verified to work with nixfmt only.
2024-03-22nixos/pam: use services.fprintd.package for fprintd ruleNick Cao1-1/+1
2024-03-01Merge pull request #291951 from amarshall/zfs-pkgs-renamingAdam C. Stephens1-2/+2
zfs: rename zfsStable -> zfs_2_2; zfsUnstable -> zfs_unstable; remove enableUnstable option in favor of package
2024-02-28nixos/pam/kwallet: rename option, allow setting packageK9001-16/+23
2024-02-27nixos/pam: Do not incorrectly use zfs.enableUnstable in assertionAndrew Marshall1-2/+2
`zfs.enableUnstable` only has an effect if `zfs.enabled = true`, so only require `zfs.enabled` to be true here.
2024-02-11Merge pull request #286857 from RaitoBezarius/cacertsRyan Lahfa1-1/+13
nixos/security/ca: enable support for compatibility bundles
2024-02-11nixos/security/ca: enable support for compatibility bundlesRaito Bezarius1-1/+13
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use our NixOS CA bundle. For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional trust rules. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-02-08pam_usb, nixos/pam-usb: dropRaito Bezarius2-63/+0
`security.pam.usb` is broken anyway and upstream has abandoned the software.
2024-02-06nixos/acme: default to lets encrypt production URL instead of null, mention ↵Sandro1-5/+7
lets encrypt staging URI (#270221)
2024-02-02nixos/pam: Add pam_intuneRhys Davies1-0/+3
2024-02-01Merge pull request #285587 from edef1c/wrapper-cve-2023-6246Pierre Bourdon1-0/+7
nixos/modules/security/wrappers: limit argv0 to 512 bytes
2024-02-01nixos/modules/security/wrappers: limit argv0 to 512 bytesedef1-0/+7
This mitigates CVE-2023-6246, crucially without a mass-rebuild. Change-Id: I762a0d489ade88dafd3775d54a09f555dc8c2527
2024-01-31nixos/pam: remove pam_cgfsAdam Stephens1-3/+0
pam_cgfs is a cgroups-v1 pam module. Verified with upstream that this module no longer necessary on cgroups-v2 systems.
2024-01-19nixos/acme: fix assertion for renamed optionéclairevoyant1-2/+2
2024-01-18fix semi-colon missingmian | mian1-5/+5
2024-01-12nixos/pam: Secure default for `sshAgentAuth.authorizedKeysFiles`nicoo1-3/+1
Closes #31611
2024-01-10Merge pull request #243169 from 2xsaiko/outgoing/krb5Peder Bergebakken Sundt4-5/+183
nixos/krb5: cleanup, fix and RFC42-ify
2024-01-08nixos/pam: Fix use of renamed `enableSSHAgentAuth` optionnicoo1-1/+1
2024-01-08Merge pull request #277620 from nbraud/nixos/pam/ssh-agent-auth-31611Maciej Krüger2-14/+41
nixos/pam: Add option for ssh-agent auth's trusted authorized_keys files
2024-01-07Merge pull request #276499 from nbraud/nixos/pam/ssh-agent-authMaciej Krüger1-0/+7
nixos/pam: Add assertion for SSH-agent auth
2024-01-04nixos/sudo: Remove unused `enableSSHAgentAuth` let-bindingnicoo1-2/+0
2024-01-04nixos/pam: Warn on insecure `sshAgentAuth` configurationsnicoo1-0/+10
2024-01-03nixos/pam: Add `sshAgentAuth.authorizedKeysFiles` optionnicoo1-1/+24
2024-01-03nixos/pam: Rename option `enableSSHAgentAuth` to `sshAgentAuth.enable`nicoo1-12/+8
2024-01-01nixos/auditd: fix typoMaciej Krüger1-1/+1
Would otherwise fail with ``` error: A definition for option `systemd.services.auditd.conflicts."[definition 1-entry 1]"' is not of type `string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)'. Definition values: - In `/nix/store/x2khl2yx0vz2i357x7mz5xm1kagql8ag-source/nixos/modules/security/auditd.nix': "shutdown.target " ```
2023-12-30nixos/pam: Assert that `authorizedKeysFiles` is non-empty when using ↵nicoo1-0/+7
`pam_ssh_agent_auth`
2023-12-29nixos/wrappers: order service after sysusers servicenikstur1-0/+1
2023-12-29nixos/ipa: replace activationScriptnikstur1-19/+27
Replaced with a dedicated systemd service.
2023-12-27Merge pull request #271326 from philiptaron/shutdown.targetnikstur4-5/+11
treewide: depend on `shutdown.target` if `DefaultDependencies=no` in almost every case
2023-12-24nixos/wrapper: add basename of the wrapped program to the wrappers name to ↵Sandro Jäckel1-2/+2
easily identify it Also fix the comment with test instructions
2023-12-24nixos/sudo-rs: Removed unused let-bindingnicoo1-2/+0
Leftover from bcc2d1238a1c97347518812f224921d29aa3b3f8
2023-12-21nixos/krb5: add h7x4 as maintainerMarco Rebhan1-1/+1
2023-12-21nixos/krb5: add myself as maintainer for module & testsMarco Rebhan1-0/+4
2023-12-21nixos/krb5: move to security.krb5Marco Rebhan4-5/+179
2023-12-11Merge pull request #270224 from SuperSandro2000/patch-2pennae1-8/+8
nixos/acme: add syntax highlighting to code blocks
2023-12-10nixos/acme: add syntax highlighting to code blocksSandro1-8/+8
2023-11-30nixos/suid-sgid-wrappers: ensure correct ordering w.r.t. shutdown.targetPhilip Taron1-1/+2
2023-11-30nixos/duosec: ensure correct ordering w.r.t. shutdown.targetPhilip Taron1-2/+4
2023-11-30nixos/auditd: ensure correct ordering w.r.t. shutdown.targetPhilip Taron1-1/+3
This looks like it's got a few other idiosyncrasies, but I'll leave it alone for now.
2023-11-30nixos/apparmor: ensure correct ordering w.r.t. shutdown.targetPhilip Taron1-1/+2
2023-11-30Merge pull request #261702 from h7x4/replace-mkoption-with-mkpackageoptionWeijia Wang1-8/+1
treewide: use `mkPackageOption`
2023-11-27treewide: use `mkPackageOption`h7x42-16/+2
This commit replaces a lot of usages of `mkOption` with the package type, to be `mkPackageOption`, in order to reduce the amount of code.
2023-11-25nixos/sudo-rs: Move support for `pam_ssh_agent_auth(8)` to PAM's NixOS modulenicoo2-9/+8
Similar to delroth's suggestion in #262790.
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-18 04:04:27 +0000