Commit Graph

359 Commits

Author SHA1 Message Date
Sandro
f5802f496d
Merge pull request #187026 from azahi/endlessh-go 2022-10-09 16:50:02 +02:00
Maximilian Bosch
15914eba85
nixos/privacyidea: fix manual build 2022-10-06 13:50:31 +02:00
Maximilian Bosch
ecaf6aed02
nixos/privacyidea: add proper support for privacyidea-token-janitor
`privacyidea-token-janitor`[1] is a tool which helps to automate
maintenance of tokens. This is helpful to identify e.g. orphaned tokens,
i.e. tokens of users that were removed or tokens that were unused for a
longer period of time and apply actions to them (e.g. `disable` or
`delete`).

This patch adds two new things:

* A wrapper for `privacyidea-token-janitor` to make sure it's executable
  from CLI. To achieve this, it does a `sudo(8)` into the
  `privacyidea`-user and sets up the environment to make sure the
  configuration file can be found. With that, administrators can
  directly invoke it from the CLI without additional steps.

* An optional service is added which performs automatic cleanups of
  orphaned and/or unassigned tokens. Yes, the tool can do way more
  stuff, but I figured it's reasonable to have an automatic way to clean
  up tokens of users who were removed from the PI instance. Additional
  automation steps should probably be implemented in additional
  services (and are perhaps too custom to add them to this module).

[1] https://privacyidea.readthedocs.io/en/v3.7/workflows_and_tools/tools/index.html
2022-10-06 11:43:20 +02:00
Solene Rapenne
605a588ea6 nixos/fail2ban: improve module documentation 2022-10-02 12:59:54 +02:00
Azat Bahawi
99dc9b9c16
nixos/endlessh-go: init module 2022-09-23 23:55:54 +03:00
Kerstin
1637945189
Merge pull request #189975 from Tasqa/kanidm-cacerts-fix
nixos/kanidm: Add cacerts path to unixd service
2022-09-15 16:28:21 +02:00
Guillaume Girol
a47cfca9af
Merge pull request #189744 from symphorien/vaultwarden-service
nixos/vaultwarden: misc fixes
2022-09-12 19:26:39 +00:00
Tako Marks
3df41451e3 nixos/kanidm: Bind mount cacert path in unixd service
In order to be able to use the unixd service with the `verify_ca` and
`verify_hostnames` set to `true` it needs to be able to read the
certificate store. This change bind mounts the cacert paths for the
unixd service.
2022-09-06 15:01:37 +02:00
Guillaume Girol
70b8ef1df6 nixos/vaultwarden: fix typo in timer alias 2022-09-04 12:00:00 +00:00
Guillaume Girol
7160e94e27 nixos/vaultwarden: fix race with backup
when vaultwarden starts while backup-vaultwarden.service is running, it
fails because the sqlite database is locked
2022-09-04 12:00:00 +00:00
Guillaume Girol
7d009061c9 nixos/vaultwarden: Restart=always
there is no reason vaultwarden should remain not started
2022-09-04 12:00:00 +00:00
pennae
3bddcf5f90
Merge branch 'master' into option-docs-md 2022-09-01 16:10:09 +02:00
pennae
1d41cff3dc nixos/*: convert straggler options to MD 2022-08-31 17:27:38 +02:00
pennae
f2ea09ecbe nixos/*: convert options with listings
minor rendering changes.
2022-08-31 17:27:36 +02:00
pennae
722b99bc0e nixos/*: convert options with admonitions to MD
rendering changes only slightly, most changes are in spacing.
2022-08-31 16:36:16 +02:00
pennae
bd56368848 nixos/*: md-convert hidden plaintext options
most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.
2022-08-31 16:32:54 +02:00
pennae
ef176dcf7e nixos/*: automatically convert option descriptions
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running

    nix-doc-munge nixos/**/*.nix
    nix-doc-munge --import nixos/**/*.nix

the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
2022-08-31 16:32:53 +02:00
pennae
e4f876eb7e nixos/*: convert varlist-using options to MD
there are sufficiently few variable list around, and they are
sufficiently simple, that it doesn't seem helpful to add another
markdown extension for them. rendering differences are small, except in
the tor module: admonitions inside other blocks cannot be made to work
well with mistune (and likely most other markdown processors), so those
had to be shuffled a bit. we also lose paragraph breaks in the list
items due to how we have to render from markdown to docbook, but once we
remove docbook from the pipeline those paragraph breaks will be restored.
2022-08-31 16:32:53 +02:00
pennae
7d102d113a nixos/*: convert multiline inline code to listings
presumably it was not intended to have these blocks rendered inline, and
markdown conversion would be messy as well.
2022-08-31 16:27:25 +02:00
pennae
5841c386a0 nixos/*: remove indentation from long enable options
the way these are written they introduce lots of whitespace in each
line, which will cause those lines to render as code when converted to
markdown. override the whole description instead.
2022-08-31 16:21:14 +02:00
K900
a7bfb90ea8 nixos/vaultwarden: protect the default data directory more
Fixes #179415
2022-08-29 09:26:31 +03:00
pennae
e607b30abe nixos/tor: convert option descriptions to MD
no change in rendered output. the html manual could render <screen>
blocks differently, but so far it hasn't (and if we need to make a
distinction we can use a special info string).
2022-08-27 19:18:29 +02:00
pennae
6039648c50 nixos/*: automatically convert option docs 2022-08-19 22:40:58 +02:00
pennae
7e7d68a250 nixos/*: mark pre-existing markdown descriptions as mdDoc 2022-08-19 22:40:58 +02:00
pennae
b51f8036c2 nixos/*: use properly indented strings for option docs
using regular strings works well for docbook because docbook is not as
whitespace-sensitive as markdown. markdown would render all of these as
code blocks when given the chance.
2022-08-19 22:40:58 +02:00
pennae
8f8e101527 nixos/*: normalize <package> to <literal>
this renders the same in the manpage and a little more clearly in the
html manual. in the manpage there continues to be no distinction from
regular text, the html manual gets code-type markup (which was probably
the intention for most of these uses anyway).
2022-08-19 22:40:58 +02:00
Jörg Thalheim
7a8a3dfd8b
Merge pull request #181939 from Mic92/vault-2
vault: fix assertions when raft backend is used
2022-08-16 05:24:01 +01:00
pennae
087472b1e5 nixos/*: automatically convert option docs 2022-08-06 20:39:12 +02:00
pennae
423545fe48 nixos/*: normalize manpage references to single-line form
now nix-doc-munge will not introduce whitespace changes when it replaces
manpage references with the MD equivalent.

no change to the manpage, changes to the HTML manual are whitespace only.
2022-08-05 18:34:50 +02:00
pennae
61e93df189 nixos/*: automatically convert option docs to MD
once again using nix-doc-munge (69d080323a)
2022-08-03 22:46:41 +02:00
pennae
3aebb4a2be nixos/*: normalize link format
make (almost) all links appear on only a single line, with no
unnecessary whitespace, using double quotes for attributes. this lets us
automatically convert them to markdown easily.

the few remaining links are extremely long link in a gnome module, we'll
come back to those at a later date.
2022-08-03 21:57:46 +02:00
pennae
2e751c0772 treewide: automatically md-convert option descriptions
the conversion procedure is simple:

 - find all things that look like options, ie calls to either `mkOption`
   or `lib.mkOption` that take an attrset. remember the attrset as the
   option
 - for all options, find a `description` attribute who's value is not a
   call to `mdDoc` or `lib.mdDoc`
 - textually convert the entire value of the attribute to MD with a few
   simple regexes (the set from mdize-module.sh)
 - if the change produced a change in the manual output, discard
 - if the change kept the manual unchanged, add some text to the
   description to make sure we've actually found an option. if the
   manual changes this time, keep the converted description

this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
2022-07-30 15:16:34 +02:00
Maximilian Bosch
81add6600c
nixos/privacyidea-ldap-proxy: umask to avoid accidental world-readability 2022-07-20 20:29:38 +02:00
Maximilian Bosch
8b72dae17b
Merge pull request #181528 from Ma27/privacyidea-ldap-proxy-secrets
nixos/privacyidea: better secret-handling ldap-proxy & RFC42-style settings for ldap-proxy
2022-07-18 14:19:47 +02:00
Maximilian Bosch
949c334ea9
nixos/privacyidea-ldap-proxy: use list for EnvironmentFile for mergeability 2022-07-18 13:58:08 +02:00
Jörg Thalheim
2856eb2046 vault: fix assertions when raft backend is used 2022-07-18 13:12:26 +02:00
Maximilian Bosch
4adf26f018
nixos/privacyidea-ldap-proxy: always run envsubst
Otherwise the file doesn't exist at the expected location.
2022-07-16 14:00:46 +02:00
Maximilian Bosch
bccaac9535
nixos/privacyidea: better secret-handling ldap-proxy & RFC42-style settings for ldap-proxy
Instead of hard-coding a single `configFile` for
`privacyidea-ldap-proxy.service` which is pretty unmergable with other
declarations it now uses a RFC42-like approach. Also to make sure that
secrets can be handled properly without ending up in the Nix store, it's
possible to inject secrets via envsubst

    {
      services.privacyidea.ldap-proxy = {
        enable = true;
        environmentFile = "/run/secrets/ldap-pw";
        settings = {
          privacyidea.instance = "privacyidea.example.org";
          service-account = {
            dn = "uid=readonly,ou=serviceaccounts,dc=example,dc=org";
            password = "$LDAP_PW";
          };
        };
      };
    }

and the following secret file (at `/run/secrets`):

    LDAP_PW=<super-secret ldap pw>

For backwards-compat the old `configFile`-option is kept, but it throws
a deprecation warning and is mutually exclusive with the
`settings`-attrset. Also, it doesn't support secrets injection with
`envsubst` & `environmentFile`.
2022-07-14 23:51:17 +02:00
Aidan Gauland
d9119dbbdf
pass-secret-service: unstable-2020-04-12 -> unstable-2022-03-21
* Update to the latest upstream version of pass-secret-service that includes
  systemd service files.
* Add patch to fix use of a function that has been removed from the Python
  Cryptography library in NixOS 22.05
* Install systemd service files in the Nix package.
* Add NixOS test to ensure the D-Bus API activates the service unit.
* Add myself as a maintainer to the package and NixOS test.
* Use checkTarget instead of equivalent custom checkPhase.
2022-07-12 07:33:26 +12:00
Maximilian Bosch
000d72eb7f
nixos/privacyidea: pin python to 3.9
Otherwise `pi-manage` doesn't work inside the Python env (which is 3.10
whereas privacyidea requires 3.9).

Failing Hydra build: https://hydra.nixos.org/build/182734928
2022-07-05 19:38:54 +02:00
Jörg Thalheim
826c20dcae
nixos/vault: add option to start in dev mode. (#180114)
* nixos/vault: add option to start in dev mode.

This is not only useful for nixos tests i.e. when testing vault agent
setups but also when playing around with vault in local setups. In our
tests we can now make use of this option to test more vault features.
i.e. adding this feature has uncovered the need for a `StateDirectory`.

* Update nixos/modules/services/security/vault.nix

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>

Co-authored-by: Jonas Chevalier <zimbatm@zimbatm.com>
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2022-07-05 10:54:11 +02:00
Niklas Hambüchen
5683c6e03b nixos/vaultwarden: Make example more detailed.
It took me a while to figure out how to correctly setup
vaultwarden on NixOS.
I hope that this more detailed example will help others.
2022-06-08 17:03:53 +02:00
Zhaofeng Li
6c4bfe583c nixos/infnoise: init 2022-05-27 15:18:43 -07:00
Janne Heß
e6fb1e63d1
Merge pull request #171650 from helsinki-systems/feat/config-systemd-package
treewide: pkgs.systemd -> config.systemd.package
2022-05-09 10:23:04 +02:00
Janne Heß
57cd07f3a9
treewide: pkgs.systemd -> config.systemd.package
This ensures there is only one systemd package when e.g. testing the
next systemd version.
2022-05-05 20:00:31 +02:00
Kerstin Humm
c126babb28 nixos/kanidm: init
Co-Authored-By:  Martin Weinelt <mweinelt@users.noreply.github.com>
Co-Authored-By:  Flakebi <flakebi@t-online.de>
2022-05-05 19:06:13 +02:00
Aaron Andersen
fc5df319cf
Merge pull request #165764 from notgne2/oauth2-proxy-group
nixos/oauth2_proxy: add user group
2022-04-01 13:32:21 +02:00
P. R. d. O
f24ae9654d
nixos/sslmate-agent: init 2022-03-28 17:41:18 -06:00
notgne2
863773970c
nixos/oauth2_proxy: add user group 2022-03-25 08:35:30 -07:00
Sandro
3d48fda6f5
Merge pull request #164330 from Luflosi/fix-tor-client-disable 2022-03-20 19:51:30 +01:00