Commit Graph

701 Commits

Author SHA1 Message Date
rnhmjoj
904f68fb0f
nixos/security/wrappers: make well-typed
The security.wrappers option is morally a set of submodules but it's
actually (un)typed as a generic attribute set. This is bad for several
reasons:

1. Some of the "submodule" option are not document;
2. the default values are not documented and are chosen based on
   somewhat bizarre rules (issue #23217);
3. It's not possible to override an existing wrapper due to the
   dumb types.attrs.merge strategy;
4. It's easy to make mistakes that will go unnoticed, which is
   really bad given the sensitivity of this module (issue #47839).

This makes the option a proper set of submodule and add strict types and
descriptions to every sub-option. Considering it's not yet clear if the
way the default values are picked is intended, this reproduces the current
behavior, but it's now documented explicitly.
2021-09-12 21:43:03 +02:00
Guillaume Girol
bc3bca822a nixos: define the primary group of users where needed 2021-09-12 14:59:30 +02:00
Zhaofeng Li
59af7f0a2b apparmor: Fix cups-client typo 2021-08-23 00:50:15 -07:00
Jörg Thalheim
9b962429be
Merge pull request #133014 from Mic92/fix-pam
nixos: reduce pam files rebuilds on updates
2021-08-20 23:23:42 +01:00
Jörg Thalheim
1645acf1d3 nixos: reduce pam files rebuilds on updates
Before whenever environment variables changed, pam files had to be
rebuild.

This is expensive since each file needs its own sandbox set up.
2021-08-20 23:43:30 +02:00
Malte Tammena
891e537592 Fix security.pam.yubico.challengeResponsePath type
The config is optional and may be left `null`.
2021-08-17 16:55:50 +02:00
Guillaume Girol
f626a23cd3
Merge pull request #130522 from Mic92/polkit
nixos/polkit: put polkituser into polkituser group
2021-08-08 15:09:15 +00:00
Martin Weinelt
f49b03c40b
Merge pull request #123258 from mweinelt/acme-hardening 2021-08-08 15:50:24 +02:00
Jörg Thalheim
b5f5a5e341 nixos/polkit: put polkituser into polkitgroup 2021-07-18 08:58:30 +02:00
mlatus
43ca464e37 nixos/pam: allow users to set the path to store challenge and expected responsed used by yubico_pam 2021-07-17 15:05:31 +08:00
Martin Weinelt
7a10478ea7
nixos/acme: harden systemd units 2021-07-06 15:16:01 +02:00
Martin Weinelt
dc940ecdb3
Merge pull request #121750 from m1cr0man/master
nixos/acme: Ensure certs are always protected
2021-07-06 15:10:54 +02:00
Jörg Thalheim
e12188c0f2
nixos/systemd-confinment: use /var/empty as chroot mountpoint
bind mounting directories into the nix-store breaks nix commands.
In particular it introduces character devices that are not supported
by nix-store as valid files in the nix store. Use `/var/empty` instead
which is designated for these kind of use cases. We won't create any
files beause of the tmpfs mounted.
2021-07-01 08:01:18 +02:00
Jörg Thalheim
1e125a8002
Merge pull request #122674 from wakira/pam-order
nixos/pam: prioritize safer auth methods over fingerprints
2021-06-26 16:52:25 +02:00
Jenny
7bf7d9f8a7
nixos/pam_mount: add support for FUSE-filesystems (#126069) 2021-06-08 22:06:28 +02:00
Niklas Hambüchen
fdca90d07f
docs: acme: Fix typo 2021-06-06 14:27:13 +02:00
V
6fc18eb419 nixos/acme: Allow using lego's built-in web server
Currently, we hardcode the use of --http.webroot, even if no webroot is
configured. This has the effect of disabling the built-in server.

Co-authored-by: Chris Forno <jekor@jekor.com>
2021-06-05 06:00:45 +02:00
Sandro
44327ab7dc
Merge pull request #124991 from ju1m/apparmor 2021-06-01 15:26:30 +02:00
Vincent Bernat
632c8e1d54
nixos/acme: don't use --reuse-key
Reusing the same private/public key on renewal has two issues:

 - some providers don't accept to sign the same public key
   again (Buypass Go SSL)

 - keeping the same private key forever partly defeats the purpose of
   renewing the certificate often

Therefore, let's remove this option. People wanting to keep the same
key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the
previous behavior. Alternatively, we could put this as an option whose
default value is true.
2021-06-01 00:43:45 +02:00
Julien Moutinho
61654ca131 nixos/pam: use new plasma5Packages, fixes #124973 2021-05-30 21:44:25 +02:00
ajs124
e2cf342ba9 nixos/security/apparmor: utillinux -> util-linux 2021-05-17 17:14:08 +02:00
Keshav Kini
348858f297 nixos/security.pki: handle PEMs w/o a final newline
According to the ABNF grammar for PEM files described in [RFC
7468][1], an eol character (i.e. a newline) is not mandatory after the
posteb line (i.e. "-----END CERTIFICATE-----" in the case of
certificates).

This commit makes our CA certificate bundler expression account for
the possibility that files in config.security.pki.certificateFiles
might not have final newlines, by using `awk` instead of `cat` to
concatenate them. (`awk` prints a final newline from each input file
even if the file doesn't end with a newline.)

[1]: https://datatracker.ietf.org/doc/html/rfc7468#section-3
2021-05-16 17:23:11 -07:00
Lucas Savva
083aba4f83 nixos/acme: Ensure certs are always protected
As per #121293, I ensured the UMask is set correctly
and removed any unnecessary chmod/chown/chgrp commands.
The test suite already partially covered permissions
checking but I added an extra check for the selfsigned
cert permissions.
2021-05-15 12:41:33 +01:00
Sheng Wang
e0adda4113
nixos/pam: prioritize safer auth methods over fingerprints
Currently if fprintd is enabled, pam will ask for fingerprint
regardless of other configured authentication modules (e.g. yubikey).

This change make fingerprint the last resort of authentication before asking for password.
2021-05-12 13:25:08 +09:00
github-actions[bot]
bc1f4b790e
Merge master into staging-next 2021-05-09 12:23:16 +00:00
Michele Guerini Rocco
e5452226af
Merge pull request #121791 from dotlambda/sudo-execWheelOnly
nixos/sudo: add option execWheelOnly
2021-05-09 10:04:15 +02:00
Robert Schütz
5624aa9f81 nixos/sudo: add option execWheelOnly
By setting the executable's group to wheel and permissions to 4510, we
make sure that only members of the wheel group can execute sudo.
2021-05-08 23:48:00 +02:00
Martin Weinelt
9651084620 Merge remote-tracking branch 'origin/master' into staging-next 2021-05-08 14:43:43 +02:00
Jan Tojnar
468cb5980b gnome: rename from gnome3
Since GNOME version is now 40, it no longer makes sense to use the old attribute name.
2021-05-08 09:47:42 +02:00
Julien Moutinho
b42a0e205d nixos/apparmor: disable killUnconfinedConfinables by default 2021-04-23 07:20:20 +02:00
Julien Moutinho
45e5d726b2 nixos/apparmor: improve code readability 2021-04-23 07:20:19 +02:00
Julien Moutinho
8f9b29d168 apparmor: 2.13.5 -> 3.0.0 2021-04-23 07:17:56 +02:00
Julien Moutinho
27032f4dd6 nixos/apparmor: fix logprof.conf generation 2021-04-23 07:17:56 +02:00
Tony Olagbaiye
fca06b142a nixos/apparmor: remove an IFD
First because IFD (import-from-derivation) is not allowed on hydra.nixos.org,
and second because without https://github.com/NixOS/hydra/pull/825
hydra-eval-jobs crashes instead of skipping aggregated jobs which fail
(here because they required an IFD).
2021-04-23 07:17:55 +02:00
Julien Moutinho
05d334cfe2 Revert "Revert "apparmor: fix and improve the service""
This reverts commit 420f89ceb2.
2021-04-23 07:17:55 +02:00
Robert Hensing
e0e241c219
Merge pull request #116369 from m1cr0man/master
nixos/acme: Fix webroot issues
2021-03-23 21:31:42 +01:00
Lucas Savva
920a3f5a9d nixos/acme: Fix webroot issues
With the UMask set to 0023, the
mkdir -p command which creates the webroot
could end up unreadable if the web server
changes, as surfaced by the test suite in #114751
On top of this, the following commands
to chown the webroot + subdirectories was
mostly unnecessary. I stripped it back to
only fix the deepest part of the directory,
resolving #115976, and reintroduced a
human readable error message.
2021-03-15 01:41:40 +00:00
Robert Hensing
f0e20e0975 acme: Determine offline whether renewal is due 2021-03-01 23:41:52 +01:00
Florian Klink
f3af2df658
Merge pull request #111635 from xaverdh/hide-pid-broken
nixos/hidepid: remove module, it's broken
2021-02-23 00:20:29 +01:00
Dominik Xaver Hörl
893d911b55 nixos/hidepid: drop the module as the hidepid mount option is broken
This has been in an unusable state since the switch to cgroups-v2.
See https://github.com/NixOS/nixpkgs/issues/73800 for details.
2021-02-21 13:51:37 +01:00
nicoo
39383a8494 nixos/rngd: Remove module entirely, leave an explaination
Per @shlevy's request on #96092.
2021-02-21 01:32:50 +01:00
Sandro
fccda5aae6
Merge pull request #108819 from SuperSandro2000/nginx-module 2021-01-30 21:46:35 +01:00
Florian Klink
dfb2bc857b nixos/acme: fix docs 2021-01-29 18:56:28 +01:00
Florian Klink
82102fc37d
Merge pull request #100356 from m1cr0man/docsupdate
nixos/acme: Docs, explain how to set permissions
2021-01-29 17:16:06 +01:00
Florian Klink
1030745555
Merge pull request #106857 from m1cr0man/master
nixos/acme: Fixes for account creation and remove tmpfiles usage
2021-01-27 17:52:16 +01:00
Jörg Thalheim
0998756db2
Merge pull request #109342 from Mic92/wrappers 2021-01-27 14:32:38 +00:00
Jörg Thalheim
dbd05a5289
Update nixos/modules/security/wrappers/wrapper.nix
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
2021-01-14 09:00:34 +00:00
Jörg Thalheim
eadffd9154
nixos/wrappers: fix applying capabilities
With libcap 2.41 the output of cap_to_text changed, also the original
author of code hoped that this would never happen.
To counter this now the security-wrapper only relies on the syscall
ABI, which is more stable and robust than string parsing. If new
breakages occur this will be more obvious because version numbers will
be incremented.
Furthermore all errors no make execution explicitly fail instead of
hiding errors behind debug environment variables and the code style was
more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/)
2021-01-14 08:46:57 +01:00
Lucas Savva
514a0b6d8a nixos/acme: Fix bash issue, enable debug
I found a logical error in the bash script, but during
debugging I enabled command echoing and realised it
would be a good idea to have it enabled all the time for
ease of bug reporting.
2021-01-12 19:11:52 +00:00
Frederik Rietdijk
b209617ff0 plasma5Packages: alias to the libsForQt5 used to build the plasma5 desktop
For in NixOS it is beneficial if both plasma5 and pam use the same Qt5
version. Because the plasma5 desktop may use a different version as the
default Qt5 version, we introduce plasma5Packages.
2021-01-10 15:59:45 +01:00
Lucas Savva
5b4f9c4244 nixos/acme: Set up webroot as non-root user 2021-01-09 19:37:03 +00:00
Lucas Savva
a01df7dc46 nixos/acme: Incorporate review suggestions 2021-01-09 19:15:03 +00:00
Sandro Jäckel
a7e31c64d9
nixos/acme: Suggest directory used security.acme.certs.<name>.webroot 2021-01-09 02:20:49 +01:00
Milan Pässler
018072ea22 nixos/pam: use pam_faillock instead of pam_tally
Fixes #108313

\#107185 removed pam_tally, in favor of pam_faillock (see release notes).
2021-01-03 15:54:23 +01:00
Lucas Savva
92a3a37153 nixos/acme: Remove all systemd-tmpfiles usage
- Added an ExecPostStart to acme-$cert.service when webroot is defined to create the acme-challenge
directory and fix required permissions. Lego always tries to create .well-known and acme-challenge,
thus if any permissions in that tree are wrong it will crash and break cert renewal.
- acme-fixperms now configured with acme User and Group, however the script still runs as root. This
ensures the StateDirectories are owned by the acme user.
- Switched to list syntax for systemd options where multiple values are specified.
2020-12-29 15:01:08 +00:00
Florian Klink
f71e439688 nixos/acme: fix typo in docs 2020-12-28 13:19:15 +01:00
Lucas Savva
e5913db0c9 nixos/acme: update documentation and release notes
The instructions on recreating the cert were missing --what=state.
Also added a note on ensuring the group of manual certs is correct.
2020-12-28 00:35:45 +00:00
Lucas Savva
f670e1dc23 nixos/acme: change service umask to 0023
Closes #106603
Some webservers (lighttpd) require that the
files they are serving are world readable. We
do our own chmods in the scripts anyway, and
lego has sensible permissions on its output
files, so this change is safe enough.
2020-12-28 00:35:20 +00:00
Lucas Savva
351065f970 nixos/acme: reduce dependency on tmpfiles
systemd-tmpfiles is no longer required for
most of the critical paths in the module. The
only one that remains is the webroot
acme-challenge directory since there's no
other good place for this to live and forcing
users to do the right thing alone will only
create more issues.
2020-12-28 00:35:20 +00:00
Lucas Savva
85769a8cd8 nixos/acme: prevent mass account creation
Closes #106565
When generating multiple certificates which all
share the same server + email, lego will attempt
to create an account multiple times. By adding an
account creation target certificates which share
an account will wait for one service (chosen at
config build time) to complete first.
2020-12-28 00:35:18 +00:00
Florian Klink
49853c69f5
Merge pull request #101482 from m1cr0man/jwsfix
nixos/acme: lego run when account is missing
2020-12-20 11:06:19 +01:00
Lucas Savva
e3120397a5 nixos/acme: Remove dependency on system version for hash
This means that all systems running from master will trigger
new certificate creation on next rebuild. Race conditions around
multiple account creation are fixed in #106857, not this commit.
2020-12-18 12:57:35 +00:00
Silvan Mosberger
6df56e1cb8
Merge pull request #103866 from cole-h/doas
doas: 6.6.1 -> 6.8
2020-11-30 19:02:55 +01:00
Frederik Rietdijk
b2a3891e12 Merge master into staging-next 2020-11-27 15:09:19 +01:00
Graham Christensen
d9c3f13df3
Merge pull request #104776 from grahamc/utillinux
utillinux: rename to util-linux
2020-11-24 15:14:36 -05:00
Graham Christensen
bc49a0815a
utillinux: rename to util-linux 2020-11-24 12:42:06 -05:00
adisbladis
ba1fa0c604
pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles
If a system administrator has explicitly configured key locations this
should be taken into account by `sudo`.
2020-11-24 02:47:07 +01:00
Florian Klink
d22b3ed4bc systemd: switch to unified cgroup hierarchy by default
See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for
details on why this is desirable, and how it impacts containers.

Users that need to keep using the old cgroup hierarchy can re-enable it
by setting `systemd.unifiedCgroupHierarchy` to `false`.

Well-known candidates not supporting that hierarchy, like docker and
hidepid=… will disable it automatically.

Fixes #73800
2020-11-19 16:56:46 +01:00
Cole Helbling
19c0927d30
nixos/doas: add noLog option 2020-11-14 19:16:56 -08:00
Linus Heckemann
2b06415ca1
Merge pull request #101370 from m1cr0man/ssl-test-certs
nixos/acme: Permissions and tests fixes
2020-10-28 17:21:57 +01:00
Nick Hu
921287e7f0
Merge pull request #97726 from NickHu/pam_gnupg
pam: add support for pam_gnupg
2020-10-26 15:27:13 +00:00
Lucas Savva
79ecf069f5
nixos/acme: Add data.email to othersHash in nixos > 20.09 2020-10-24 20:40:02 +01:00
Lucas Savva
76401c9a3b
nixos/acme: lego run whenen account is missing 2020-10-23 18:52:42 +01:00
Lucas Savva
89d134b3fd
nixos/acme: Use more secure chmods
Previous settings would make files executable in
the certs directories.
2020-10-22 14:04:31 +01:00
David Reiss
49a749c729 nixos/pam_mount: add pamMount attribute to users
This attribute is a generalized version of cryptHomeLuks for creating an
entry in /etc/security/pam_mount.conf.xml. It lets the configuration
control all the attributes of the <volume> entry, instead of just the
path. The default path remains the value of cryptHomeLuks, for
compatibility.
2020-10-14 22:55:55 -07:00
Dominique Martinet
f8d78b9f67
confinement: fix assert for serviceConfig.ProtectSystem
serviceConfig.ProtectSystem is usually a string so if set, the assert
itself would error out leaving no useable trace:

  # nixos-rebuild switch --show-trace
  building Nix...
  building the system configuration...
  error: while evaluating the attribute 'config.system.build.toplevel' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:293:5:
  while evaluating 'foldr' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:52:20, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:128:12:
  while evaluating 'fold'' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:55:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:59:8:
  while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:121:50, called from undefined position:
  while evaluating the attribute 'assertion' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/security/systemd-confinement.nix:163:7:
  value is a string while a Boolean was expected

Fix the check to give a sensible assert message instead; the attribute
should either be not set or false bool to pass.

Closes: #99000
2020-10-14 11:56:18 +02:00
Lucas Savva
d95f020a53
nixos/acme: Docs, explain how to set permissions
As of 20.09 the /var/lib/acme/.challenges permissions will
not automatically be correct. Add instructions on how to
set them correctly.
2020-10-12 19:26:00 +01:00
Nick Hu
948e05bb28
pam: add support for pam_gnupg 2020-10-12 13:29:40 +01:00
Florian Klink
a1cb02148b
Merge pull request #99912 from m1cr0man/ocspfix
nixos/acme: Fix ocspMustStaple option and add test
2020-10-11 23:44:33 +02:00
zowoq
f9bb39e294 nixos/pam: remove trailing whitespace 2020-10-09 18:31:20 +10:00
Miles Breslin
8e628f8eea
nixos/pam: Add option to set pam-u2f appid (#73591) 2020-10-08 14:37:40 -04:00
Jeroen Simonetti
cc3ce9a13a nixos/security/acme: Add DNS resolver option
When using the ACME DNS-01 challenge, there is a possibility of a
failure to resolve the challenge if the record is not propagated
fast enough. To circumvent this generic DNS problem, this adds
a setting to explicitly tell the ACME provider to use a certain DNS
resolver to lookup the challenge.

Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
2020-10-07 13:01:08 +02:00
Vladimír Čunát
420f89ceb2
Revert "apparmor: fix and improve the service"
This reverts commit fb6d63f3fd.

I really hope this finally fixes #99236: evaluation on Hydra.
This time I really did check basically the same commit on Hydra:
https://hydra.nixos.org/eval/1618011

Right now I don't have energy to find what exactly is wrong in the
commit, and it doesn't seem important in comparison to nixos-unstable
channel being stuck on a commit over one week old.
2020-10-07 12:22:18 +02:00
Lucas Savva
1edd91ca09
nixos/acme: Fix ocspMustStaple option and add test
Some of the testing setup for OCSP checking was wrong and
has been fixed too.
2020-10-07 00:18:13 +01:00
Andreas Rammhold
2c0ee52d91
nixos/security/acme: order after nss-lookup.target
This should hopefully solve races with DNS servers (such as unbound)
during the activation of a new generation. Previously unbound could
still be unavailable and thus the acme script would fail.
2020-10-06 22:52:55 +02:00
Tim Steinbach
9646ae97c8
pam: Fix interaction with samba
9544c6078e / #96672 removed the samba option
`syncPasswordsByPam`.
Need to remove this option from the pam module, otherwise it will cause build errors
2020-10-05 09:13:16 -04:00
Doron Behar
9544c6078e
Merge pull request #96672 from doronbehar/module/samba
nixos/samba: remove upstream deprecated syncPasswordsByPam option
2020-10-04 11:29:56 +03:00
Maximilian Bosch
d2dc0ae203
nixos/sudo: add package option
The `package`-option is always useful if modifying a package in an
overlay would mean that a lot of other packages need to be rebuilt as
well.

In case of `sudo` this is actually the case: when having an override for
it (e.g. for `withInsults = true;`), you'd have to rebuild e.g. `zfs`
and `grub` although that's not strictly needed.
2020-10-01 13:00:52 +02:00
Andreas Rammhold
9630d5c07f
nixos/security/wrapper: ensure the tmpfs is not world writeable
The /run/wrapper directory is a tmpfs. Unfortunately, it's mounted with
its root directory has the standard (for tmpfs) mode: 1777 (world writeable,
sticky -- the standard mode of shared temporary directories). This means that
every user can create new files and subdirectories there, but can't
move/delete/rename files that belong to other users.
2020-09-28 22:55:20 +02:00
Michael Raskin
31a4e2e28b
Merge pull request #93457 from ju1m/apparmor
apparmor: fix and improve the service
2020-09-27 13:07:38 +00:00
Florian Klink
303078d9ca
Merge pull request #97303 from martinetd/systemd-confinement-list
systemd-confinement: handle ExecStarts etc being lists
2020-09-10 21:17:17 +02:00
nicoo
e64d3f60fb nixos/modules/security/rngd: Disable by default
`rngd` seems to be the root cause for slow boot issues, and its functionality is
redundant since kernel v3.17 (2014), which introduced a `krngd` task (in kernel
space) that takes care of pulling in data from hardware RNGs:

> commit be4000bc4644d027c519b6361f5ae3bbfc52c347
> Author: Torsten Duwe <duwe@lst.de>
> Date:   Sat Jun 14 23:46:03 2014 -0400
>
>     hwrng: create filler thread
>
>     This can be viewed as the in-kernel equivalent of hwrngd;
>     like FUSE it is a good thing to have a mechanism in user land,
>     but for some reasons (simplicity, secrecy, integrity, speed)
>     it may be better to have it in kernel space.
>
>     This patch creates a thread once a hwrng registers, and uses
>     the previously established add_hwgenerator_randomness() to feed
>     its data to the input pool as long as needed. A derating factor
>     is used to bias the entropy estimation and to disable this
>     mechanism entirely when set to zero.

Closes: #96067
2020-09-09 21:51:25 -04:00
Thomas Tuegel
053b05d14d
Remove Qt 5.15 from Plasma closure 2020-09-08 08:47:34 -05:00
Dominique Martinet
fd196452f0 systemd-confinement: handle ExecStarts etc being lists
systemd-confinement's automatic package extraction does not work correctly
if ExecStarts ExecReload etc are lists.

Add an extra flatten to make things smooth.

Fixes #96840.
2020-09-06 18:55:10 +02:00
Florian Klink
d7046947e5
Merge pull request #91121 from m1cr0man/master
Restructure acme module
2020-09-06 18:26:22 +02:00
Julien Moutinho
fb6d63f3fd apparmor: fix and improve the service 2020-09-06 07:43:03 +02:00
Lucas Savva
34b5c5c1a4
nixos/acme: More features and fixes
- Allow for key reuse when domains are the only thing that
  were changed.
- Fixed systemd service failure when preliminarySelfsigned
  was set to false
2020-09-06 01:28:19 +01:00
Lucas Savva
f57824c915
nixos/acme: Update docs, use assert more effectively 2020-09-05 01:06:29 +01:00
Julien Moutinho
539ae5c932 Revert "apparmor: add apparmor_parser config file"
This reverts commit 2259fbdf4b.
2020-09-05 01:46:12 +02:00
Lucas Savva
67a5d660cb
nixos/acme: Run postRun script as root 2020-09-04 19:34:10 +01:00