Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2024-04-28 | Merge pull request #277626 from nbraud/nixos/pam/ssh-agent-auth-31611-fix | Thomas Gerbet | 1 | -3/+1 | |
nixos/pam: Use secure default for `sshAgentAuth.authorizedKeysFiles` | |||||
2024-04-22 | nixos/isolate: init module | Vir Chaudhury | 1 | -0/+133 | |
2024-04-22 | nixos/duosec: Split `mkdir` mode into `chmod` command for clarity | Victor Engmark | 1 | -2/+4 | |
As recommended by ShellCheck <https://github.com/koalaman/shellcheck/wiki/SC2174>. | |||||
2024-04-13 | nixos: remove all uses of lib.mdDoc | stuebinm | 26 | -299/+295 | |
these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned. | |||||
2024-04-09 | nixos: improve many 'enable' descriptions | Bjørn Forsman | 2 | -3/+3 | |
2024-04-03 | More specific link to tag spec | Noah S-C | 1 | -1/+1 | |
Co-authored-by: Aleksana <alexander.huang.y@gmail.com> | |||||
2024-04-02 | nixos/sudo: update command options enum for newer sudo version | Noah Santschi-Cooney | 1 | -2/+2 | |
The enum of allowed command options (NOPASSWD, NOEXEC etc) had not been updated when bumping sudo version. MAIL/NOMAIL were added in [1.8.13](https://www.sudo.ws/releases/legacy/#1.8.13), FOLLOW/NOFOLLOW were added in [1.8.15](https://www.sudo.ws/releases/legacy/#1.8.15) and INTERCEPT/NOINTERCEPT in [1.9.8](https://www.sudo.ws/releases/stable/#1.9.8) | |||||
2024-03-28 | treewide: Fix all Nix ASTs in all markdown files | Janne Heß | 1 | -176/+190 | |
This allows for correct highlighting and maybe future automatic formatting. The AST was verified to work with nixfmt only. | |||||
2024-03-22 | nixos/pam: use services.fprintd.package for fprintd rule | Nick Cao | 1 | -1/+1 | |
2024-03-01 | Merge pull request #291951 from amarshall/zfs-pkgs-renaming | Adam C. Stephens | 1 | -2/+2 | |
zfs: rename zfsStable -> zfs_2_2; zfsUnstable -> zfs_unstable; remove enableUnstable option in favor of package | |||||
2024-02-28 | nixos/pam/kwallet: rename option, allow setting package | K900 | 1 | -16/+23 | |
2024-02-27 | nixos/pam: Do not incorrectly use zfs.enableUnstable in assertion | Andrew Marshall | 1 | -2/+2 | |
`zfs.enableUnstable` only has an effect if `zfs.enabled = true`, so only require `zfs.enabled` to be true here. | |||||
2024-02-11 | Merge pull request #286857 from RaitoBezarius/cacerts | Ryan Lahfa | 1 | -1/+13 | |
nixos/security/ca: enable support for compatibility bundles | |||||
2024-02-11 | nixos/security/ca: enable support for compatibility bundles | Raito Bezarius | 1 | -1/+13 | |
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use our NixOS CA bundle. For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional trust rules. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> | |||||
2024-02-08 | pam_usb, nixos/pam-usb: drop | Raito Bezarius | 2 | -63/+0 | |
`security.pam.usb` is broken anyway and upstream has abandoned the software. | |||||
2024-02-06 | nixos/acme: default to lets encrypt production URL instead of null, mention ↵ | Sandro | 1 | -5/+7 | |
lets encrypt staging URI (#270221) | |||||
2024-02-02 | nixos/pam: Add pam_intune | Rhys Davies | 1 | -0/+3 | |
2024-02-01 | Merge pull request #285587 from edef1c/wrapper-cve-2023-6246 | Pierre Bourdon | 1 | -0/+7 | |
nixos/modules/security/wrappers: limit argv0 to 512 bytes | |||||
2024-02-01 | nixos/modules/security/wrappers: limit argv0 to 512 bytes | edef | 1 | -0/+7 | |
This mitigates CVE-2023-6246, crucially without a mass-rebuild. Change-Id: I762a0d489ade88dafd3775d54a09f555dc8c2527 | |||||
2024-01-31 | nixos/pam: remove pam_cgfs | Adam Stephens | 1 | -3/+0 | |
pam_cgfs is a cgroups-v1 pam module. Verified with upstream that this module no longer necessary on cgroups-v2 systems. | |||||
2024-01-19 | nixos/acme: fix assertion for renamed option | éclairevoyant | 1 | -2/+2 | |
2024-01-18 | fix semi-colon missing | mian | mian | 1 | -5/+5 | |
2024-01-12 | nixos/pam: Secure default for `sshAgentAuth.authorizedKeysFiles` | nicoo | 1 | -3/+1 | |
Closes #31611 | |||||
2024-01-10 | Merge pull request #243169 from 2xsaiko/outgoing/krb5 | Peder Bergebakken Sundt | 4 | -5/+183 | |
nixos/krb5: cleanup, fix and RFC42-ify | |||||
2024-01-08 | nixos/pam: Fix use of renamed `enableSSHAgentAuth` option | nicoo | 1 | -1/+1 | |
2024-01-08 | Merge pull request #277620 from nbraud/nixos/pam/ssh-agent-auth-31611 | Maciej Krüger | 2 | -14/+41 | |
nixos/pam: Add option for ssh-agent auth's trusted authorized_keys files | |||||
2024-01-07 | Merge pull request #276499 from nbraud/nixos/pam/ssh-agent-auth | Maciej Krüger | 1 | -0/+7 | |
nixos/pam: Add assertion for SSH-agent auth | |||||
2024-01-04 | nixos/sudo: Remove unused `enableSSHAgentAuth` let-binding | nicoo | 1 | -2/+0 | |
2024-01-04 | nixos/pam: Warn on insecure `sshAgentAuth` configurations | nicoo | 1 | -0/+10 | |
2024-01-03 | nixos/pam: Add `sshAgentAuth.authorizedKeysFiles` option | nicoo | 1 | -1/+24 | |
2024-01-03 | nixos/pam: Rename option `enableSSHAgentAuth` to `sshAgentAuth.enable` | nicoo | 1 | -12/+8 | |
2024-01-01 | nixos/auditd: fix typo | Maciej Krüger | 1 | -1/+1 | |
Would otherwise fail with ``` error: A definition for option `systemd.services.auditd.conflicts."[definition 1-entry 1]"' is not of type `string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)'. Definition values: - In `/nix/store/x2khl2yx0vz2i357x7mz5xm1kagql8ag-source/nixos/modules/security/auditd.nix': "shutdown.target " ``` | |||||
2023-12-30 | nixos/pam: Assert that `authorizedKeysFiles` is non-empty when using ↵ | nicoo | 1 | -0/+7 | |
`pam_ssh_agent_auth` | |||||
2023-12-29 | nixos/wrappers: order service after sysusers service | nikstur | 1 | -0/+1 | |
2023-12-29 | nixos/ipa: replace activationScript | nikstur | 1 | -19/+27 | |
Replaced with a dedicated systemd service. | |||||
2023-12-27 | Merge pull request #271326 from philiptaron/shutdown.target | nikstur | 4 | -5/+11 | |
treewide: depend on `shutdown.target` if `DefaultDependencies=no` in almost every case | |||||
2023-12-24 | nixos/wrapper: add basename of the wrapped program to the wrappers name to ↵ | Sandro Jäckel | 1 | -2/+2 | |
easily identify it Also fix the comment with test instructions | |||||
2023-12-24 | nixos/sudo-rs: Removed unused let-binding | nicoo | 1 | -2/+0 | |
Leftover from bcc2d1238a1c97347518812f224921d29aa3b3f8 | |||||
2023-12-21 | nixos/krb5: add h7x4 as maintainer | Marco Rebhan | 1 | -1/+1 | |
2023-12-21 | nixos/krb5: add myself as maintainer for module & tests | Marco Rebhan | 1 | -0/+4 | |
2023-12-21 | nixos/krb5: move to security.krb5 | Marco Rebhan | 4 | -5/+179 | |
2023-12-11 | Merge pull request #270224 from SuperSandro2000/patch-2 | pennae | 1 | -8/+8 | |
nixos/acme: add syntax highlighting to code blocks | |||||
2023-12-10 | nixos/acme: add syntax highlighting to code blocks | Sandro | 1 | -8/+8 | |
2023-11-30 | nixos/suid-sgid-wrappers: ensure correct ordering w.r.t. shutdown.target | Philip Taron | 1 | -1/+2 | |
2023-11-30 | nixos/duosec: ensure correct ordering w.r.t. shutdown.target | Philip Taron | 1 | -2/+4 | |
2023-11-30 | nixos/auditd: ensure correct ordering w.r.t. shutdown.target | Philip Taron | 1 | -1/+3 | |
This looks like it's got a few other idiosyncrasies, but I'll leave it alone for now. | |||||
2023-11-30 | nixos/apparmor: ensure correct ordering w.r.t. shutdown.target | Philip Taron | 1 | -1/+2 | |
2023-11-30 | Merge pull request #261702 from h7x4/replace-mkoption-with-mkpackageoption | Weijia Wang | 1 | -8/+1 | |
treewide: use `mkPackageOption` | |||||
2023-11-27 | treewide: use `mkPackageOption` | h7x4 | 2 | -16/+2 | |
This commit replaces a lot of usages of `mkOption` with the package type, to be `mkPackageOption`, in order to reduce the amount of code. | |||||
2023-11-25 | nixos/sudo-rs: Move support for `pam_ssh_agent_auth(8)` to PAM's NixOS module | nicoo | 2 | -9/+8 | |
Similar to delroth's suggestion in #262790. |