Commit Graph

223 Commits

Author SHA1 Message Date
Malte Brandy
cebf9198f3
treewide: De-inline uses of lib.boolToString
This commit should not change eval results
2020-10-14 01:46:17 +02:00
WilliButz
76362dd7eb
nixos/bitwarden_rs: add environmentFile option
Add the option `environmentFile` to allow passing secrets to the service
without adding them to the Nix store, while keeping the current
configuration via the existing environment file intact.
2020-09-07 17:39:53 +02:00
WORLDofPEACE
18348c7829
Merge pull request #96042 from rnhmjoj/loaOf
treewide: completely remove types.loaOf
2020-09-02 08:45:37 -04:00
rnhmjoj
20d491a317
treewide: completely remove types.loaOf 2020-09-02 00:42:50 +02:00
Silvan Mosberger
6716867eb3
Merge pull request #96686 from nixy/add/tor-package-option
tor: Add option to tor service for package
2020-08-30 23:02:37 +02:00
Andrew R. M
168a9c8d38 Add option to tor service for package 2020-08-30 14:35:36 -04:00
Lassulus
c265ca02ca
Merge pull request #85963 from seqizz/g_physlock_message
physlock: add optional lock message
2020-08-27 10:18:34 +02:00
Florian Klink
962e15aebc nixos: remove StandardOutput=syslog, StandardError=syslog lines
Since systemd 243, docs were already steering users towards using
`journal`:

eedaf7f322

systemd 246 will go one step further, it shows warnings for these units
during bootup, and will [automatically convert these occurences to
`journal`](f3dc6af20f):

> [    6.955976] systemd[1]: /nix/store/hwyfgbwg804vmr92fxc1vkmqfq2k9s17-unit-display-manager.service/display-manager.service:27: Standard output type syslog is obsolete, automatically updating to journal. Please update│······················
 your unit file, and consider removing the setting altogether.

So there's no point of keeping `syslog` here, and it's probably a better
idea to just not set it, due to:

> This setting defaults to the value set with DefaultStandardOutput= in
> systemd-system.conf(5), which defaults to journal.
2020-08-13 18:49:15 +02:00
Philipp Bartsch
ffd18cc1b1 nixos/usbguard: rework
Use StateDirectory to create necessary directories and hardcode some
paths. Also drop file based audit logs, they can be found in the
journal. And add module option deprecation messages.
2020-08-08 23:26:07 +02:00
Jörg Thalheim
ba930d8679
nixos/modules: remove trailing whitespace
This leads to ci failure otherwise if the file gets changed.
git-blame can ignore whitespace changes.
2020-08-07 14:45:39 +01:00
Florian Klink
ebfae82674 nixos/yubikey-agent: add missing mkIf
This accidentially added pkgs.yubikey-agent to
environment.systemPackages unconditionally.
2020-07-26 09:34:24 +02:00
Florian Klink
8f7a623af6
Merge pull request #92936 from philandstuff/add-yubikey-agent
yubikey-agent: init at 0.1.3
2020-07-23 17:52:30 +02:00
Nikola Knežević
53f42f245a
oauth2_proxy: 5.1.1 -> 6.0.0 (#93121)
The new release fixes one of the outstanding CVEs against oauth2_proxy:
https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv.

In addition, rename the owner and the project name to reflect the
changes upstream (it now belongs to the oauth2-proxy organization, and
the name is oauth2-proxy)
2020-07-19 22:08:33 -07:00
Philip Potter
e4029c34fc yubikey-agent: init at 0.1.3
This adds yubikey-agent as a package and a nixos module.

On macOS, we use `wrapProgram` to set pinentry_mac as default in PATH;
on Linux we rely on the user to set their preferred pinentry in PATH.
In particular, we use a systemd override to prefix PATH to select a
chosen pinentry program if specified.

On Linux, we need libnotify to provide the notify-send utility for
desktop notifications (such as "Waiting for Yubikey touch...").

This might work on other flavors of unix, but I haven't tested.

We reuse the programs.gnupg.agent.pinentryFlavor option for
yubikey-agent, but in doing so I hit a problem: pinentryFlavour's
default value is specified in a mkDefault, but only conditionally.  We
ought to be able to pick up the pinentryFlavour whether or not gpg-agent
is running.  As a result, this commit moves the default value to the
definition of programs.gnupg.agent.enable.
2020-07-16 15:29:33 +01:00
Benjamin Hipple
152a29fef8
Merge pull request #77557 from c0deaddict/feature/nginx-sso-package-option
nixos/nginx.sso: add package option
2020-07-05 21:24:22 -04:00
Samuel Gräfenstein
5bb0b72720
nixos/*: wheter -> whether 2020-07-04 15:20:41 +02:00
Silvan Mosberger
f03e85f703
Merge pull request #74589 from tmplt/fix-physlock
nixos/physlock: add suspend-then-hibernate to lockOn.suspend units
2020-06-17 18:06:52 +02:00
tmplt
51e995cc05 nixos/physlock: add suspend-then-hibernate to suspend/hibernate units 2020-06-16 23:42:56 +02:00
Jan Tojnar
0af23b05ab
Merge pull request #75435 from Elyhaka/fprintd 2020-05-25 12:22:48 +02:00
Philipp Bartsch
2827491c23 nixos/usbguard: update systemd sandboxing features
Apply upstream systemd service configuration options to improve
sandboxing.
2020-05-24 10:36:07 +02:00
Elyhaka
131a28e9f2
fprintd: 0.9.0 -> 1.90.1 2020-05-19 14:03:31 +02:00
Linus Heckemann
db010c5537
Merge pull request #85687 from mayflower/privacyidea
Init privacyIDEA packages and modules
2020-05-13 09:08:57 +02:00
Robin Gloster
f1f0e82c50
privacyidea: address reviews 2020-05-09 12:11:44 +02:00
zowoq
c59c4e3589 nixos/*: use $out instead of $bin with buildGoPackage 2020-04-28 20:30:29 +10:00
Gürkan Gür
e140dc9e4c physlock: add optional lock message 2020-04-24 23:26:57 +02:00
Bas van Dijk
784aa2913a
Merge pull request #79840 from knl/update-oauth2_proxy-to-5.0.0
oauth2_proxy: 3.2.0 -> 5.1.0
2020-04-22 12:15:07 +02:00
Robin Gloster
134c66b584
privacyidea module: init 2020-04-21 16:54:51 +02:00
Dominik Xaver Hörl
0412bde942 treewide: add bool type to enable options, or make use of mkEnableOption
Add missing type information to manually specified enable options or replace them by mkEnableOption where appropriate.
2020-04-21 08:55:36 +02:00
Nikola Knezevic
3c551848be oauth2_proxy: Update NixOS module
Update to match the current flags and apply fixes to all breaking changes.
2020-04-20 10:11:46 +02:00
Pavol Rusnak
fadcfc3ea4
treewide: per RFC45, remove more unquoted URLs 2020-04-18 14:04:37 +02:00
Simon Lackerbauer
017dca51fa
fail2ban: fix firewall warning 2020-03-22 18:11:36 +01:00
Izorkin
c75398b10a nixos/fail2ban: disable work fail2ban without firewall 2020-03-18 09:54:19 +03:00
Jörg Thalheim
c23f10da6a
fail2ban: 0.10.5 -> 0.11.1 (#67931)
fail2ban: 0.10.5 -> 0.11.1
2020-01-31 08:58:58 +00:00
Izorkin
96e2669114 nixos/fail2ban: enable sandboxing 2020-01-29 23:15:56 +03:00
Izorkin
f1d7dfe29f nixos/fail2ban: add custom options 2020-01-29 23:15:56 +03:00
Izorkin
a55be8d794 nixos/fail2ban: update serviceConfig 2020-01-29 23:15:56 +03:00
Izorkin
182012ef43 nixos/fail2ban: add options to enable work service with iptables-compat 2020-01-29 23:15:56 +03:00
Izorkin
68d601d65c nixos/fail2ban: clean-up configuration 2020-01-29 23:15:56 +03:00
Matthijs Steen
44dff89215 bitwarden_rs: 1.9.1 -> 1.13.1 2020-01-28 17:26:49 +01:00
Andreas Brenk
36da345caa nixos/sshguard: use nftables backend if enabled
The current module assumes use of iptables and breaks if nftables is
used instead.

This change configures the correct backend based on the
config.networking.nftables.enable setting.
2020-01-27 14:42:28 +01:00
Yorick van Pelt
15e98e7428
nixos/vault: add ExecReload entry 2020-01-24 18:59:13 +01:00
Jos van Bakel
6f3b04eb71
nixos/nginx.sso: add package option 2020-01-12 14:35:23 +01:00
Robert Hensing
9884cb3ed0
Merge pull request #76861 from Infinisil/paths-as-submodules
lib/types: Allow paths as submodule values
2020-01-12 14:19:04 +01:00
markuskowa
59670b0c56
Merge pull request #76939 from lourkeur/fix_76184_tsocks
nixos/tsocks: Add types to the options
2020-01-09 21:33:18 +01:00
Silvan Mosberger
228a7b173e
nixos/certmgr: Flip either submodule path type
For upcoming allowance of paths as submodules
2020-01-08 23:54:45 +01:00
rnhmjoj
1d61efb7f1 treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
Louis Bettens
caa9ce1caa nixos/tsocks: Add types to the options 2020-01-05 00:15:26 +01:00
Silvan Mosberger
4ee3e8b21d
nixos/treewide: Move rename.nix imports to their respective modules
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
EEva (JPotier)
9b78e5f35d vault: fix config when file backend is used
When the option services.vault.storageBackend is set to "file", a
systemd.tmpfiles.rules was added, with extraneous []. These are not
needed and have been removed.
2019-11-05 16:54:34 +01:00
Janne Heß
d6c08776ba treewide: Switch to system users 2019-10-12 22:25:28 +02:00