Commit Graph

431 Commits

Author SHA1 Message Date
h7x4
0a37316d6c
treewide: use mkPackageOption
This commit replaces a lot of usages of `mkOption` with the package
type, to be `mkPackageOption`, in order to reduce the amount of code.
2023-11-27 01:28:36 +01:00
happysalada
e5b0b76105 nixos/clamav: add fangfrisch updater 2023-11-24 09:09:46 +00:00
happysalada
eb746540a9 nixos/clamav: run as clamav user not root 2023-11-22 03:08:30 +00:00
happysalada
ef6b8ff15a nixos/clamav: use state and runtime directory 2023-11-22 03:08:30 +00:00
Maximilian Bosch
48459567ae nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989

First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.

The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).

After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].

So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that

* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
  `ensureUsers`. That way, the user is actually the owner and can
  perform `CREATE`.
* For such a postgres user, a database must be declared in
  `ensureDatabases`.

For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.

Regarding existing setups: there are effectively two options:

* Leave everything as-is (assuming that system user == db user == db
  name): then the DB user will automatically become the DB owner and
  everything else stays the same.

* Drop the `createDatabase = true;` declarations: nothing will change
  because a removal of `ensure*` statements is ignored, so it doesn't
  matter at all whether this option is kept after the first deploy (and
  later on you'd usually restore from backups anyways).

  The DB user isn't the owner of the DB then, but for an existing setup
  this is irrelevant because CREATE on the public schema isn't revoked
  from existing users (only not granted for new users).

[1] not really declarative though because removals of these statements
    are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
    because it IMHO falls into the category "manage the state on your
    own" (see the commit message). See also
    https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
    also add more things like collation for DBs or passwords that are
    _never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-13 17:16:25 +01:00
Maximilian Bosch
5927d55685
privacyidea: remove
Related to #262907 (Django3 removal from nixpkgs).

This package already required an unreasonable amount of maintenance
regularly for a such small leaf-package. It has a few highly outdated
dependencies (e.g. flask 1, jinja2 2.11, sqlalchemy 1.3).

After at least each Python package-set update one had to fix up a lot of
dependencies to fix the package itself, so it was only useful on stable
branches. And having so much outdated software in a security-sensitive
piece of software seems questionable.

Finally, globin and I won't be available for maintaining this now that
Mayflower is migrating to another solution (and we'll do that as well)
and I'd expect this to bitrot extremely quick if we both bail out.
2023-10-31 14:17:48 +01:00
nikstur
95e6dfd5d9
Merge pull request #260275 from thillux/jitterentropy-rngd
jitterentropy-rngd: init at 1.2.8
2023-10-21 19:10:51 +02:00
Sandro Jäckel
7f94b9e9c6
nixos/fail2ban: change bantime default to not be config breaking 2023-10-21 02:38:29 +02:00
Markus Theil
e98a8367ec jitterentropy-rngd: init at 1.2.8
Add jitterentropy-rngd, a tool similar to rng-tools.
While not necessarily needed, it is useful for those
who want to strengthen their kernel entropy input pool
by periodic insertion of an independent source.

The entropy source is a NIST SP800-90B compliant
non-physical true RNG source on most systems.
See the jitterentropy documentation for details
(http://chronox.de/jent/doc/CPU-Jitter-NPTRNG.pdf).

Signed-off-by: Markus Theil <theil.markus@gmail.com>
2023-10-20 10:04:11 +02:00
Christopher Crouse
f9947192cb
nixos/opensnitch: fix typo and enable new system rules
Fixed typo to enable [new system rules](https://github.com/evilsocket/opensnitch/wiki/System-rules#upgrading-from-previous-versions)

Fixes: https://github.com/NixOS/nixpkgs/issues/256290
2023-10-17 18:00:48 +00:00
Artturi
22e61b1402
nixos/fail2ban: also inherit bantime (#244688)
nixos/fail2ban: also inherit bantime
2023-10-17 09:40:39 +03:00
Jean-François Roche
fb3723fe52
nixos/tang: create module for tang server (#247037)
This commit adds a module for the tang server and the related nixos test.
2023-10-16 13:10:15 +02:00
Andreas Wiese
1e8b8e6d38 nixos/usbguard: don't use path literal for pure evaluation
PR#256295 reintroduced ruleFile option, but set the default as a path
literal, which was a "string path" previously.  This breaks evaluation
for being impure:

  error: access to absolute path '/var/lib/usbguard/rules.conf' is forbidden in pure eval mode (use '--impure' to override)
2023-09-27 11:22:09 +02:00
0x4A6F
a0db07dad5
Merge pull request #256295 from Janik-Haag/usbguard
nixos/usbguard: restore ruleFile option
2023-09-25 22:05:36 +02:00
Janik H.
3b673297e7
nixos/usbguard: restore ruleFile option 2023-09-20 13:55:55 +02:00
Niklas Hambüchen
c460434104 nixos/vaultwarden: Fix doubly-nested config value. Fixes evaluation 2023-09-19 16:46:08 +00:00
Sagi Sarussi
f3cf8b679b nixos/kanidm: fix broken doc links 2023-08-31 14:03:30 +03:00
Ilan Joselevich
fb1f530bc6
Merge pull request #249521 from Kranzes/oauth2-proxy
nixos/oauth2_proxy: service after network.target -> network-online.target
2023-08-17 03:16:10 +03:00
Ilan Joselevich
0a732d2adf
nixos/oauth2_proxy: service after network.target -> network-online.target 2023-08-16 14:40:33 +03:00
h7x4
655a04a8fa
nixos/kanidm: add package option
Signed-off-by: h7x4 <h7x4@nani.wtf>
2023-08-15 10:05:44 +02:00
Jonas Heinrich
c5f4a46036 nixos/opensnitch: Add support for EPBF process monitor
Co-authored-by: Slime90
2023-08-13 22:19:48 +08:00
Martin Weinelt
184d15cc06
kanidm: 1.1.0-alpha.12 -> 1.1.0-beta.13
https://github.com/kanidm/kanidm/releases/tag/v1.1.0-beta.13

The kanidmd process now creates a unix socket, over which admin tasks
can be done, without having to shut kanidm down first.

The kanidm_unixd process now wants access to /etc/shadow and /etc/group,
so it can rule out collisions with the host system.
2023-08-01 17:13:58 +02:00
Tim
28a081c736
also inherit bantime 2023-07-21 18:48:20 +02:00
André Schröder
9858973dad nixos/vaultwarden: Fix Markdown syntax of link
The typo was introduced in 1d41cff3dc
2023-07-17 23:41:44 +02:00
Oliver Richter
9d6cd34766 esdm: init at 0.6.0
Signed-off-by: Oliver Richter <richter-oliver@gmx.net>
2023-07-13 16:08:12 +02:00
Lassulus
0e1fc501c6
Merge pull request #241927 from ether42/usbguard
nixos/usbguard: rename services.usbguard.implictPolicyTarget to services.usbguard.implicitPolicyTarget
2023-07-12 18:58:30 +02:00
Felix Buehler
bec27fabee treewide: use lib.optional instead of 'then []' 2023-07-12 09:36:28 +01:00
Kevin Boulain
680ee304ca nixos/usbguard: rename services.usbguard.implictPolicyTarget to services.usbguard.implicitPolicyTarget 2023-07-06 15:34:40 +02:00
Lassulus
f751061a08
Merge pull request #237477 from accelbread/usbguard-dbus-support
nixos/usbguard: add USBGuard dbus daemon option
2023-07-05 23:13:10 +02:00
Ryan Lahfa
7672c1e9ae
Merge pull request #201907 from Tom-Hubrecht/fail2ban 2023-07-02 13:57:47 +02:00
Niklas Hambüchen
080757c6c5 nixos/vaultwarden: Bind to localhost by default. See #100192 2023-07-01 15:35:28 +02:00
Tom Hubrecht
208ee8b2e2 nixos/fail2ban: use attrsets for settings instead of strings 2023-06-30 22:27:40 +02:00
Felix Buehler
933a41a73f treewide: use optional instead of 'then []' 2023-06-25 09:11:40 -03:00
Jelle Besseling
53a3ddfab8
vault: set coredump ulimit to 0 2023-06-22 16:44:30 +02:00
Archit Gupta
cbb69aa1c1 nixos/usbguard: add USBGuard dbus daemon option
The usbguard package includes the dbus daemon, but the NixOS config
option does not provide a service file or its necessary polkit rules.

Enabling the dbus daemon allows use of Gnome's USBGuard support.
2023-06-12 21:38:07 -07:00
Max
847a7f1102 nixos/kanidm: auto-restart kanidm-unixd-tasks 2023-06-11 17:17:42 +02:00
pennae
727086540f
Merge pull request #233238 from emilylange/username-change
maintainers: rename indeednotjames to emilylange
2023-05-21 17:07:05 +02:00
emilylange
b0e7f7f5db
maintainers: rename indeednotjames to emilylange 2023-05-21 16:01:35 +02:00
figsoda
701bcdbead nixos: fix typos 2023-05-19 22:31:04 -04:00
Izorkin
edb40b3e4f nixos/fail2ban: others small update 2023-05-03 08:45:26 +02:00
Izorkin
544ebba973 nixos/fail2ban: update bantime options 2023-05-03 08:45:26 +02:00
Thomas
4e8bde773f
nixos/{consul-template,vault-agent}: init 2023-04-24 06:55:57 +02:00
Tom Hubrecht
e41c569429 nixos/authelia: Allow using Unix sockets 2023-04-20 23:53:16 +02:00
datafoo
066166cf49 nixos/fail2ban: add extraSettings option 2023-04-20 16:57:24 +02:00
Artturi
b83db86a9e
Merge pull request #222080 from Stunkymonkey/nixos-optionalString 2023-04-20 16:07:30 +03:00
Flakebi
603e89eef9 kanidm: BindMount certificate paths
Bind mount the base dirs of the tls key and chain into the service.

Make sure to bind every directory just once. The test failed on ofborg
when /nix/store and the certificate path in /nix/store/<some path> were
bound.
2023-04-20 02:32:37 +02:00
datafoo
3403ee0602 nixos/fail2ban: add bantime option 2023-04-19 19:18:31 +02:00
Felix Buehler
327b0cff7a treewide: use more lib.optionalString 2023-04-07 13:38:33 +02:00
06kellyjac
9b60eef4bd authelia: move module under security and minor fixes
Fixed test access to lib
Added nixos test to passthru
2023-03-27 12:00:07 +01:00
Flakebi
12db8314d7
fail2ban: 0.11.2 -> 1.0.2
Update to 1.0.2: https://github.com/fail2ban/fail2ban/blob/1.0.2/ChangeLog#ver-102-20221109---finally-war-game-test-tape-not-a-nuclear-alarm
1.0.1 contained a few breaking changes, but I think they have little
impact.

I changed the module to use the systemd service shipping with fail2ban
(now added to the package).
2023-02-15 10:11:38 +01:00