Commit Graph

1004 Commits

Author SHA1 Message Date
phaer
37cf9cbb22
security/dhparams: shellcheck fixes 2024-09-08 12:31:15 +02:00
Felix Bühler
d7a108054a
nixos/security.acme: remove with lib; (#339101) 2024-09-06 00:08:41 +02:00
r-vdp
38d73e0c07
auditd: add a dependency on systemd-tmpfiles-setup
This is needed so that:
- users have been created (when using systemd-sysusers or userborn)
- /run and /var/run exist
2024-09-05 10:05:18 +02:00
Felix Buehler
03a0f9debe nixos/security.acme: remove with lib; 2024-09-05 00:28:18 +02:00
r-vdp
544c97226d
auditd: remove with lib 2024-09-04 10:00:07 +02:00
r-vdp
0cb37347c6
auditd: format with nixfmt 2024-09-04 10:00:07 +02:00
Philip Taron
117f3ceb51
treewide/nixos: remove with lib; part 1 (#335603) 2024-08-29 15:42:04 -07:00
Felix Buehler
9856183d59 nixos/security.polkit: remove with lib; 2024-08-30 00:30:38 +02:00
Felix Buehler
9dfb6b691d nixos/security.sudo-rs: remove with lib; 2024-08-30 00:10:54 +02:00
Felix Buehler
e32ec19edf nixos/security.pam: remove with lib; 2024-08-22 00:19:00 +02:00
Sandro Jäckel
96790120df
nixos/pam: fix writeFile no longer taking null as an argument warning
> evaluation warning: pkgs.writeText "motd": The second argument should be a string, but it's a null instead, which is deprecated. Use `toString` to convert the value to a string first.
2024-08-09 14:20:47 +02:00
Pratham Patel
4074853391
nixos/pam: kwallet: add the forceRun option 2024-08-01 09:51:31 +05:30
Colin
7306423158
nixos/pam: fully-qualify modulePath
this ensures PAM users always get the intended version of a module when
multiple versions of the same module exist on a system.

most packages which consume `pam` and link against `libpam.so` do so only
to access its API, and not because they care about the specific
`pam_<xyz>.so` modules provided by that `pam`. but when specifying
modules by name only, PAM-capable applications may well load the
`pam_<xyz>.so` from the `pam` they were compiled against instead of the
pam declared in `security.pam.package`. by fully qualifying `modulePath`
we ensure that users can actually swap out pam modules without rebuilding
the world.
2024-07-30 23:53:58 +05:30
Colin
7511ed266c
nixos/pam: add security.pam.package option
this can be used to swap out which pam package is actually used by the
system for things like `pam_limits`, `pam_tty_audit`, etc, without forcing
a mass rebuild the way an overlay would.
2024-07-30 23:53:57 +05:30
Sigmanificient
6dd44107ac treewide: remove unused lib (and other) arguments 2024-07-26 11:18:09 +02:00
Masum Reza
13da3c09fb
Merge pull request #327499 from max-privatevoid/pam-kanidm-package-option
nixos/pam: use Kanidm's package option
2024-07-24 09:24:09 +05:30
Arian van Putten
8afba669e2 nixos/wrappers: use normal mount for /run/wrappers
We want to get rid of specialFileSystems / earlyMountScript eventually and
there is no need to run this before systemd anymore now that
the wrappers themselves are set up in a systemd unit since https://github.com/NixOS/nixpkgs/pull/263203

Also this is needed to make soft-reboot work. We want to make sure
that we remount /run/wrappers with the nosuid bit removed on soft-reboot
but because @earlyMountScript@ happens in initrd, this wouldn't happen
2024-07-20 16:07:43 +02:00
Max
1dd44eaf67 nixos/pam: use Kanidm's package option 2024-07-16 00:39:03 +02:00
novenary
fcccfb9e48 nixos/pam/u2f: implement RFC0042
This module has a lot of options, so it's a good candidate for freeform
settings.
2024-07-05 17:07:02 +03:00
Jan Tojnar
1369411184 gnome-keyring: Move from gnome scope to top-level
It is on the way out.
2024-07-01 09:35:26 +02:00
Artturin
1ecc3cd35b
Merge pull request #322194 from Artturin/polkitaddpackageoption
nixos/polkit: Add package option
2024-06-26 12:42:38 +03:00
Sandro
33f83c6252
Merge pull request #316977 from eclairevoyant/fix-mkEnableOption
treewide: fix mkEnableOption usage
2024-06-25 22:42:16 +02:00
Artturin
b61e0ff19b nixos/polkit: Add package option
Overlaying polkit results in a lot of rebuilds thus it makes sense to
add a package option.

Assists in using the patch needed to fix https://www.github.com/NixOS/nixpkgs/issues/18012
2024-06-24 17:55:41 +03:00
Benjamin Staffin
4530b8f72f
nixos/ipa: Lower default sssd debug_level (#310662)
debug_level 65510 (0x3f7f0) is _extremely_ verbose, far more than one
would want in normal operation.  Setting these in the default config
also makes it difficult to override in a user config.  Anyone who needs
greater verbosity can add these options to their own sssd config, or
adjust them at runtime with `sssctl debug-level`.
2024-06-22 11:31:18 -04:00
Benjamin Staffin
e93ccda887
nixos/ipa: Make ipa_hostname configurable (#321588)
Some sites put hosts in domains outside of the IPA server's default
domain, so this needs to be user-configurable.  The default is to use
the system's FQDN if it is configured, otherwise fallback to the
previous default behaviour of assuming the IPA's server's domain.
2024-06-22 11:29:54 -04:00
h7x4
d8ddf6fb6d
Merge pull request #287611 from h7x4/nixos-module-fixup-kerberos-server
nixos/kerberos_server: use krb format generator, plus misc cleanup
2024-06-14 17:04:55 +02:00
éclairevoyant
7d8742da87
treewide: fix mkEnableOption usage 2024-06-14 02:41:42 -04:00
h7x4
195d155a1c
nixos/kerberos_server: use krb format generator, plus misc cleanup
- Introduce more possible options by using the krb format generator.
- Enforce package choice is using a correct package.
- Use meta attribute to decide implementation, allows for overriding the
  package.
- Make necessary changes to the format, to allow for multiple ACL files in
  heimdal.
- Add systemd target and slice for both implementations.
- Move state to `/var/lib`
- Add documentation
2024-06-08 23:29:53 +02:00
Stéphan Kochen
d1f07e6382 nixos/acme: allow setting security.acme.defaults.server = null to keep old accounts directory
The accounts directory is based on the hash of the settings.

https://github.com/NixOS/nixpkgs/pull/270221 changed the  default of
security.acme.defaults.server from null to the default letsencrypt URL
however as an unwanted side effect this means the accounts directory
changes and the ACME module will create a new a new account.

This can cause issues with people using CAA records that pin the
account ID or people who have datacenter-scale NixOS deployments

We allow setting this option to null again for people who want
to keep the old account and migrate at their own leisure.

Fixes https://github.com/NixOS/nixpkgs/issues/316608

Co-authored-by: Arian van Putten <arian.vanputten@gmail.com>
2024-06-04 20:09:46 +02:00
aszlig
e4bd1e8f92
nixos/confinement: Use prio 100 for RootDirectory
One of the module that already supports the systemd-confinement module
is public-inbox. However with the changes to support DynamicUser and
ProtectSystem, the module will now fail at runtime if confinement is
enabled (it's optional and you'll need to override it via another
module).

The reason is that the RootDirectory is set to /var/empty in the
public-inbox module, which doesn't work well with the InaccessiblePaths
directive we now use to support DynamicUser/ProtectSystem.

To make this issue more visible, I decided to just change the priority
of the RootDirectory option definiton the default override priority so
that whenever another different option is defined, we'll get a conflict
at evaluation time.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:41 +02:00
aszlig
0a9cecc35a
nixos/systemd-confinement: Make / read-only
Our more thorough parametrised tests uncovered that with the changes for
supporting DynamicUser, we now have the situation that for static users
the root directory within the confined environment is now writable for
the user in question.

This is obviously not what we want and I'd consider that a regression.
However while discussing this with @ju1m and my suggestion being to
set TemporaryFileSystem to "/" (as we had previously), they had an even
better idea[1]:

> The goal is to deny write access to / to non-root users,
>
>   * TemporaryFileSystem=/ gives us that through the ownership of / by
>     root (instead of the service's user inherited from
>     RuntimeDirectory=).
>   * ProtectSystem=strict gives us that by mounting / read-only (while
>     keeping its ownership to the service's user).
>
> To avoid the incompatibilities of TemporaryFileSystem=/ mentioned
> above, I suggest to mount / read-only in all cases with
> ReadOnlyPaths = [ "+/" ]:
>
>   ...
>
> I guess this would require at least two changes to the current tests:
>
>   1. to no longer expect root to be able to write to some paths (like
>      /bin) (at least not without first remounting / in read-write
>      mode).
>   2. to no longer expect non-root users to fail to write to certain
>      paths with a "permission denied" error code, but with a
>      "read-only file system" error code.

I like the solution with ReadOnlyPaths even more because it further
reduces the attack surface if the user is root. In chroot-only mode this
is especially useful, since if there are no other bind-mounted paths
involved in the unit configuration, the whole file system within the
confined environment is read-only.

[1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:40 +02:00
Julien Moutinho
0a5542c766
nixos/systemd-confinement: support ProtectSystem=/DynamicUser=
See https://discourse.nixos.org/t/hardening-systemd-services/17147/14
2024-05-13 00:40:25 +02:00
Thomas Gerbet
deed6fb8f3
Merge pull request #277626 from nbraud/nixos/pam/ssh-agent-auth-31611-fix
nixos/pam: Use secure default for `sshAgentAuth.authorizedKeysFiles`
2024-04-28 09:24:38 +02:00
Vir Chaudhury
4ca92fb6ec nixos/isolate: init module 2024-04-22 10:19:09 +08:00
Victor Engmark
c11815167f nixos/duosec: Split mkdir mode into chmod command for clarity
As recommended by ShellCheck
<https://github.com/koalaman/shellcheck/wiki/SC2174>.
2024-04-22 01:40:55 +10:00
stuebinm
6afb255d97 nixos: remove all uses of lib.mdDoc
these changes were generated with nixq 0.0.2, by running

  nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
  nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
  nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix

two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.

Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
2024-04-13 10:07:35 -07:00
Bjørn Forsman
a29010fe79 nixos: improve many 'enable' descriptions 2024-04-09 07:10:17 +02:00
Noah S-C
5c4858ad7b
More specific link to tag spec
Co-authored-by: Aleksana <alexander.huang.y@gmail.com>
2024-04-03 17:52:28 +01:00
Noah Santschi-Cooney
1a5acce391
nixos/sudo: update command options enum for newer sudo version
The enum of allowed command options (NOPASSWD, NOEXEC etc) had not been updated when bumping sudo version.
MAIL/NOMAIL were added in [1.8.13](https://www.sudo.ws/releases/legacy/#1.8.13), FOLLOW/NOFOLLOW were added in [1.8.15](https://www.sudo.ws/releases/legacy/#1.8.15) and INTERCEPT/NOINTERCEPT in [1.9.8](https://www.sudo.ws/releases/stable/#1.9.8)
2024-04-02 15:15:53 +01:00
Janne Heß
fcc95ff817 treewide: Fix all Nix ASTs in all markdown files
This allows for correct highlighting and maybe future automatic
formatting. The AST was verified to work with nixfmt only.
2024-03-28 09:28:12 +01:00
Nick Cao
cee0d0bac7
nixos/pam: use services.fprintd.package for fprintd rule 2024-03-22 20:14:49 -04:00
Adam C. Stephens
b52452f8c7
Merge pull request #291951 from amarshall/zfs-pkgs-renaming
zfs: rename zfsStable -> zfs_2_2; zfsUnstable -> zfs_unstable; remove enableUnstable option in favor of package
2024-03-01 10:09:12 -05:00
K900
8be79e54c5 nixos/pam/kwallet: rename option, allow setting package 2024-02-28 18:49:33 +03:00
Andrew Marshall
2e36c49949 nixos/pam: Do not incorrectly use zfs.enableUnstable in assertion
`zfs.enableUnstable` only has an effect if `zfs.enabled = true`, so only
require `zfs.enabled` to be true here.
2024-02-27 18:46:00 -05:00
Ryan Lahfa
d9e7a2a88a
Merge pull request #286857 from RaitoBezarius/cacerts
nixos/security/ca: enable support for compatibility bundles
2024-02-11 19:44:02 +01:00
Raito Bezarius
19159a2349 nixos/security/ca: enable support for compatibility bundles
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use
our NixOS CA bundle.

For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional
trust rules.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-02-11 17:51:00 +01:00
Raito Bezarius
2d78f55438 pam_usb, nixos/pam-usb: drop
`security.pam.usb` is broken anyway and upstream has abandoned the software.
2024-02-08 02:59:45 +01:00
Sandro
4494fcaab7
nixos/acme: default to lets encrypt production URL instead of null, mention lets encrypt staging URI (#270221) 2024-02-06 01:51:09 +01:00
Rhys Davies
d102910f47
nixos/pam: Add pam_intune 2024-02-02 10:01:52 +13:00
Pierre Bourdon
3484985991
Merge pull request #285587 from edef1c/wrapper-cve-2023-6246
nixos/modules/security/wrappers: limit argv0 to 512 bytes
2024-02-01 19:18:45 +01:00