Commit Graph

318 Commits

Author SHA1 Message Date
Yegor Timoshenko
1bb95d8409
Merge pull request #42775 from mkaito/oauth2_proxy-virtualHosts
oauth2_proxy: add nginx vhost module
2018-07-05 22:15:50 +03:00
Florian Klink
fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Michishige Kaito
2fec848254 fixup! oauth2_proxy: add nginx vhost module 2018-06-29 16:23:24 +01:00
Michishige Kaito
4a72999c75 oauth2_proxy: add nginx vhost module 2018-06-29 15:36:03 +01:00
Yegor Timoshenko
5e5bdfa6ad
Merge pull request #41098 from mkaito/oauth2_proxy
oauth2_proxy: Handle attributes being derivations
2018-06-18 20:47:55 +03:00
Joachim Fasting
c449f0b55c
nixos/tor: grammer fix, advise -> advice
Seems to me that the noun form is more appropriate here.
2018-06-18 12:40:09 +02:00
SLNOS
adab27a352 nixos/tor: use ControlPort for controlSocket for simplicity 2018-06-11 15:52:24 +00:00
SLNOS
2de3c4bd78 nixos/tor: add tor-init service to fix directory ownerships, fix hardenings
This reverts a part of 5bd12c694b.

Apparently there's no way to specify user for RuntimeDirectory in systemd
service file (it's always root) but tor won't create control socket if the dir
is owned by anybody except the tor user.

These hardenings were adopted from the upstream service file, checked
against systemd.service(5) and systemd.exec(5) manuals, and tested to
actually work with all the options enabled.

`PrivateDevices` implies `DevicePolicy=closed` according to systemd.exec(5),
removed.

`--RunAsDaemon 0` is the default value according to tor(5), removed.
2018-06-11 15:52:24 +00:00
markuskowa
96af022af5 nixos/munge: run munge as user munge instead of root. (#41509)
* Added a note in release notes (incompatibilities)
* Adapt slurm test
* Change user to munge in service.munge
2018-06-09 00:50:28 +02:00
Michishige Kaito
170223fe64 Handle attributes being derivations 2018-05-26 12:05:04 +01:00
bricewge
21b926003d sshguard: service creates /var/lib/sshguard 2018-05-05 00:29:44 -05:00
Yegor Timoshenko
e71c36369f
Merge pull request #39002 from serokell/oauth2_proxy_mod
oauth2_proxy: refactor service
2018-04-27 22:15:50 +03:00
Yorick van Pelt
048c991eb0
oauth2_proxy: use explicit upstream default for setXauthrequest 2018-04-27 16:45:38 +02:00
Robert Schütz
5bd12c694b
nixos/tor: use RuntimeDirectory, StateDirectory (#39083) 2018-04-18 09:42:45 +02:00
Yorick van Pelt
a037cbd46b
oauth2_proxy: add keyFile, make some options optional 2018-04-16 14:06:22 +02:00
Yorick van Pelt
b901c40a8e
oauth2_proxy: update module for extraConfig support 2018-04-16 13:10:31 +02:00
Joachim F
1c889be474
Merge pull request #37827 from oxij/pull/28938-tor-control-port
nixos/tor: expose control socket
2018-03-26 13:05:27 +00:00
Jaka Hudoklin
cb9c1c63c9 nixos/tor: expose control socket 2018-03-26 00:41:10 +00:00
Dan Peebles
6fa9d9cdbd hologram-server module: add cache timeout option
The version of hologram we're using has supported this option for a
while, but we didn't expose it through the NixOS module
2018-03-21 12:58:25 -04:00
Joel Thompson
fe2e4d6fb9 hologram: Enable configuring LDAP authorization
In AdRoll/hologram#62 support was added to hologram to configure
LDAP-based authorization of which roles a user was allowed to get
credentials for. This adds the ability to configure that.

Additionally, AdRoll/hologram/#94 added support to customize the LDAP
group query, so this also feeds that configuration through.

fixes #37393
2018-03-20 07:36:23 +00:00
Shea Levy
fec543436d
nixos: Move uses of stdenv.shell to runtimeShell. 2018-03-01 14:38:53 -05:00
Nadrieril
297fac40ca nixos/usbguard: Do not check permissions on rules file (using undocumented -P flag) 2018-02-27 18:34:02 +00:00
rnhmjoj
e81811a579
nixos/modules: rename IP addresses/routes options 2018-02-17 14:57:07 +01:00
Jörg Thalheim
9fab083b79
Merge pull request #34524 from Infinisil/physlock-allowAnyUser
nixos/physlock: add allowAnyUser option
2018-02-10 09:58:36 +00:00
Robert Schütz
355de06fe4 nixos/tor: add hiddenServices.<name>.authorizeClient 2018-02-08 10:02:22 +01:00
Silvan Mosberger
cfd22b733b
physlock: add allowAnyUser option 2018-02-02 14:03:00 +01:00
Léo Gaspard
7b878a443a
nixos/clamav: replace mkIf [] with optional 2018-01-06 16:52:14 +01:00
Nadrieril
95fde40b71 usbguard service: rules option should be of type 'lines' 2017-12-29 03:19:36 +01:00
Jaka Hudoklin
bc557912a1
Merge pull request #28939 from xtruder/nixos/tor/trans_proxy
tor module: add support for transparent proxy and dns
2017-12-03 21:47:11 +01:00
Léo Gaspard
652842d82e clamav module: make services.clamav.daemon.enable actually work 2017-11-28 13:45:13 +01:00
Joachim F
815bebf9e8 Merge pull request #30173 from dmjio/patch-1
oauth2_proxy: default address updated
2017-10-20 16:28:40 +00:00
Peter Hoeg
3211098632 Revert "sshguard: make it run"
This reverts commit 69d8b81b4b.
2017-10-14 14:42:49 +08:00
Peter Hoeg
69d8b81b4b sshguard: make it run 2017-10-14 14:38:04 +08:00
Dan Peebles
56e18c50cc Revert "Simple proof of concept for how to do other types of services"
This reverts commit 7c3253e519.

I included this in another push by accident and never intended for it to
be in mainline. See https://github.com/NixOS/nixpkgs/pull/26075 if you
want more.
2017-10-13 09:17:13 -04:00
David Johnson
5b530d4568 oauth2_proxy: default address updated
Go will fail to parse this otherwise.
https://github.com/golang/go/issues/19297
2017-10-06 16:52:22 -07:00
Jaka Hudoklin
78a86c9072 nixos/tor: add support for transparent proxy and dns 2017-09-23 20:13:08 +02:00
Rob Vermaas
1b71376cf2
Make sure dummy kernel module is loaded for hologram-agent.
(cherry picked from commit eb873f6c78)
2017-09-20 10:58:24 +00:00
Jörg Thalheim
bb5b084986 tor: skip ControlPort in torrc, if not set. 2017-09-13 23:33:46 +01:00
timor
ae87a30a83 physlock: 0.5 -> 11-dev
Update physlock to a more current version which supports PAM and
systemd-logind.  Amongst others, this should work now with the slim
login manager without any additional configuration, because it does
not rely on the utmp mechanism anymore.
2017-09-10 22:43:05 +02:00
Tim Steinbach
ae742fa495
frandom: Remove 2017-08-29 20:01:25 -04:00
Phil
4f2935390e nixos/usbguard: create package and module (#28363)
* nixos/usbguard: create package and module

No usbguard module or package existed for NixOS previously. USBGuard
will protect you from BadUSB attacks. (assuming configuration is done
correctly)

* nixos/usbguard: remove extra packages

Users can override this by themselves.

* nixos/usbguard: add maintainer and fix style
2017-08-25 23:35:18 +01:00
Joachim F
9447b8b9cd Merge pull request #28338 from oxij/nixos/better-tor
nixos: better tor config
2017-08-24 08:12:59 +00:00
SLNOS
2c4a925ab0 nixos: tor: rename portSpec -> port, type all "port"s properly 2017-08-22 14:57:07 +00:00
SLNOS
30a3cccd07 nixos: tor: better submodule for hidden services
Rebased onto master with a different implementation.
Originally: "add support for serving hidden services".
2017-08-22 14:57:07 +00:00
SLNOS
9226f4886f nixos: tor: more options, no unexpected consequences for default relay operators
Before this commit default relay configuration could produce unexpected
real life consequences. This patch makes those choices explicit and
documents them extensively.
2017-08-22 14:57:06 +00:00
Christian Albrecht
964799e556 sks and pgpkeyserver-lite modules: init (#27515)
* modules sks and pgpkeyserver-lite:
  runs the sks keyserver with optional nginx proxy for webgui.
* Add calbrecht to maintainers
* module sks: fix default hkpAddress value
* module pgpkeyserver-lite: make hkpAddress a string type option
  and use (builtins.head services.sks.hkpAddress) as default value
* module sks: remove leftover service dependencies
2017-08-22 12:27:00 +02:00
Phil
b4d2cd6f6a nixos/tor: add tor hidden service options (#28081)
* nixos/tor: add hiddenServices option

This change allows to configure hidden services more conveniently.

* nixos/tor: fix default/example mixup

* nixos/tor: use docbook in documentation

Also use more elegant optionalString for optional strings.

* tor: seperate hidden service port by newline

* tor: better example for hidden service path

a path below /var/lib/tor is usually used for hidden services
2017-08-11 22:59:52 +01:00
Rhys
8777174d60 nixos/oauth2_proxy: actually pass provider-specific options
Syntax errors prevented important parameters from being passed to
oauth2_proxy, which could have permitted unauthorised access to
services behind the proxy.
2017-07-21 00:27:06 +02:00
Volth
334e85e75a vault: do not restart the service on "nixos-rebuild switch" 2017-07-03 19:46:02 +00:00
Volth
68bf28adaf vault: services.vault.storagePath for the file backend 2017-06-29 21:10:56 +00:00
Volth
2056c7e395 removed generation of self-signed certificate 2017-06-28 22:22:53 +00:00
Volth
519f17035f vault: add unitConfig.RequiresMountsFor to systemd config 2017-06-28 21:16:04 +00:00
Volth
7330e80456 vault: start after consul if consul is used as storage backend 2017-06-28 00:58:19 +00:00
Volth
d016ef1f5b create directory only for "file" storage 2017-06-27 20:22:53 +00:00
Volth
4c428b4a6f vault: run as an unpivileged user 2017-06-27 19:34:12 +00:00
Katyucha
cad450e6d6 delete lines 2017-06-27 19:34:12 +00:00
Katyucha
442f76d72a Vault: 0.6.5 -> 0.7.2 with services 2017-06-27 19:34:12 +00:00
Dan Peebles
7c3253e519 Simple proof of concept for how to do other types of services 2017-05-26 18:14:31 -04:00
J M
03d190d54f shibboleth: Add Myself as a Maintainer (#25817) 2017-05-16 10:11:55 +01:00
jammerful
d8c1977bb5 shibboleth-sp module: Set Config File Path for FastCGI Units
Without this environment variable both shibauthorizer and
shibresponder default to ${pkgs.shibboleth-sp}etc/shibboleth/shibboleth2.xml
2017-05-02 19:58:03 -04:00
jammerful
9f18af5991 Add Shibboleth Service Provider Module 2017-05-02 11:29:58 -04:00
Michael Raskin
d5ec7bc748 Merge pull request #23697 from sargon/master
sshguard + service: init at 2.0.0
2017-04-30 21:43:12 +02:00
Franz Pletz
3ab45f4b36
treewide: use boolToString function 2017-04-11 18:18:53 +02:00
Daniel Ehlers
20a5b5bead sshguard: new package 2017-03-26 14:46:22 +02:00
Joachim Fasting
95eaa3aec3
nixos/tor: add missing option type 2017-03-22 02:27:23 +01:00
Franz Pletz
9536169074
nixos/treewide: remove boolean examples for options
They contain no useful information and increase the length of the
autogenerated options documentation.

See discussion in #18816.
2017-03-17 23:36:19 +01:00
Jan Malakhovski
a04782581a nixos: torify: disable by default, add some documentation as of why
This `tsocks` wrapper leaks DNS requests to clearnet, meanwhile Tor comes with
`torsocks` which doesn't.

Previous commits to this file state that all of this still useful somehow.
Assuming that it's true, at least let's not confuse users with two different tools
and don't clash with the `tsocks` binary from nixpkgs by disabling this by default.
2017-03-16 21:06:12 +00:00
Jan Malakhovski
6d25f77a64 nixos: tor: add enableGeoIP 2017-03-16 21:06:12 +00:00
Bart Brouns
bb3ef8a95c physlock: fix issue 21935 2017-03-15 11:47:02 +01:00
Fernando J Pando
1d85e0bbab hologram: 8d86e3f -> d20d1c3
- Updates dependencies
- Adds configuration module
- Tested on Nixos Unstable
2017-02-02 11:31:42 -05:00
Bjørn Forsman
4c803b904e nixos/clamav: set "clamav" user's primary group to "clamav"
So that the files created by the clamav service is owned by group
"clamav" instead of "nogroup".
2017-01-15 22:56:34 +01:00
Renaud
fa0a63ec13 fail2ban service : improve ssh jail (#21131)
Improvement to the ssh-iptables to block the port(s) actually defined
for sshd in config.services.openssh.ports
2016-12-14 14:58:02 +01:00
Franz Pletz
9e1e3b2880
clamav service: refactor
* Sync systemd units with upstream. Upstream uses SIGUSR2 instead of SIGHUP
  to reload the clamd service.

* Convert freshclam service to a oneshot service activated by a systemd timer.
  This way we can make clamd wait for freshclam to finish fetching the virus
  database before failing to start if the database doesn't exist yet.

* Fixes console tools to work as expected as they require hardcoded config
  file locations.
2016-11-15 04:47:14 +01:00
Franz Pletz
02e9c88d77
clamav: don't bundle freshclam config with package
Building clamav is expensive due to the bundled llvm.

Closes #20304.
2016-11-15 02:06:02 +01:00
Joachim Fasting
820b769fc8 oauth2_proxy: remove use of network-interfaces.target 2016-09-13 11:19:22 +02:00
Robert Helgesson
b023e8f303 haveged module: clean up service configuration (#18513)
Switches from the forking service type to simple by running haveged in
the foreground. Also restricts the execution environment a bit (these
are inspired by the Debian service file).
2016-09-13 07:07:46 +02:00
Kamil Chmielewski
437ea9fd37 Fixes #16181 - using bin output for Go services 2016-06-13 23:32:16 +02:00
Joachim Fasting
c1cb5ca57e
oauth2_proxy module: fix manual build 2016-06-10 01:02:40 +02:00
Jonathan Lange
58599744ee Add module for oauth2_proxy 2016-06-09 15:00:23 +01:00
Taeradan
77028b1e8d
fail2ban service: add iproute to PATH
iproute is required for blocking via null routes; without it, rules
based on routes.conf will fail.

Closes #15638
2016-05-23 15:57:21 +02:00
Alexander Ried
fc941899a3 fail2ban: rework service 2016-04-26 20:34:41 +02:00
Martin Sturm
507ad9a4f9 clamav: Use freshclam.conf defined by clamav-updater module if enabled 2016-03-04 02:26:44 +01:00
Leroy Hopson
eb90705d45 fail2ban service: fix formatting of example 2016-02-27 22:25:39 +13:00
aszlig
7bdcfb33f4
nixos: Provide a defaultText for type = package
We don't want to build all those things along with the manual, so that's
what the defaultText attribute is for.

Unfortunately a few of them were missing, so let's add them.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-02-17 21:12:24 +01:00
Tomas Vestelind
11d475af29 haka: options for nixos 2016-01-23 01:19:53 +01:00
Robin Gloster
88292fdf09 jobs -> systemd.services 2016-01-07 06:39:06 +00:00
Svein Ove Aas
f16594e18b nixos/fail2ban: Enable jails by default
With jails defaulting to 'enabled = true', the sshd jail that NixOS
defines will now be enabled.

[Bjørn: tweak commit message]
2016-01-04 21:52:32 +01:00
JC Brand
b5b9b03518 clamav: improvements
- Add new service for `clamd`, the ClamAV daemon.
- Replace the old upstart "jobs" section with systemd.services
- Remove unnecessary config options.
- Use `mkEnableOption`
2015-12-13 15:55:56 +00:00
JC Brand
36e1e3a8a6 clamav: Fixed indentation. 2015-12-13 15:13:12 +00:00
Jan Malakhovski
75ba6b553c nixos: add physlock service 2015-09-18 19:12:34 +00:00
William A. Kennington III
83cf8b0cf8 goPackages: Split into multiple derivations
This should reduce the closure size for end users who only need go
binaries as well as reduce the size of closures hydra builders consume.
2015-08-29 12:58:03 -07:00
Dan Peebles
81d8074881 Add hologram service 2015-04-23 14:30:12 -04:00
Arseniy Seroka
69e59e9962 munge: add service 2015-03-07 00:26:52 +03:00
Bjørn Forsman
25a6745310 nixos/fail2ban: capitalize service description 2015-02-22 16:54:14 +01:00
Nikolay Amiantov
a164a0b4c5 nixos/fprintd: add service and pam support 2015-01-03 19:50:40 +03:00
Evgeny Egorochkin
9225af50d0 resurrect torsocks-faster 2014-12-19 08:05:41 +02:00
Evgeny Egorochkin
eb0874d5ff rename torify to tsocks, to avoid name clashes and make it clear which wrapper library is used 2014-12-19 08:05:41 +02:00
Evgeny Egorochkin
633cc58d5c torsocks: enable by default if tor client functionality is enabled 2014-12-19 08:05:41 +02:00
Evgeny Egorochkin
824b3b1a99 tor: restore the Privoxy setup, but configure the system Privoxy instead of running a separate instance. 2014-12-19 08:05:41 +02:00
Evgeny Egorochkin
1fe5314dc5 tor: restore strong circuit isolation 2014-12-19 08:05:41 +02:00
Evgeny Egorochkin
da118cf60b Revert "nixos: Remove torify module"
tsocks is still useful because it's less strict

This reverts commit 1b26faeb69.
2014-12-19 08:05:41 +02:00
vi
c005dc0e6b Tor module: append redundant specifications of 'extraConfig', via 'types.lines'. 2014-12-11 14:23:48 +00:00
Austin Seipp
bc10c92377 nixos: overhaul Tor module
This overhauls the Tor module in a few ways:

  - Uses systemd service files, including hardening/config checks
  - Removed old privoxy support; users should use the Tor Browser
    instead.
  - Remove 'fast' circuit/SOCKS port; most users don't care (and it adds
    added complexity and confusion)
  - Added support for bandwidth accounting
  - Removed old relay listenAddress option; taken over by portSpec
  - Formatting, description, code cleanups.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 05:01:08 -06:00
Austin Seipp
e5e8efc1f4 nixos: rewrite torsocks module
Rather than trying to override the 'torsocks' executable in $PATH, the
new module instead properly configures `/etc/tor/torsocks.conf` and puts
the normal `torsocks` executable in $PATH so it can work out of the box.

As a bonus, I think this module actually works now, because the torsocks
configuration has changed a lot from when this was written, it seems...

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 05:00:27 -06:00
Austin Seipp
1b26faeb69 nixos: Remove torify module
'torify' now ships with the tor bundle itself; and using torsocks is
recommended over tsocks (torify will use torsocks automatically.)

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-12-06 05:00:26 -06:00
Rickard Nilsson
63d9366212 nixos/haveged: Fix incorrect unit configuration (documentation -> Documentation) 2014-11-19 12:56:42 +01:00
Bjørn Forsman
b7a889759d nixos/fail2ban: don't use types.string (it's deprecated)
I'm not really sure which one of types.lines or types.str that fit
better, but I'm going for types.lines because it behaves more like the
current type (i.e. have the ability to merge).
2014-09-05 22:56:30 +02:00
Longrin Wischnewski
28fd7ea190 clamav: run freshclam in daemon mode 2014-09-01 09:41:19 +02:00
Joel Taylor
d8cca3d624 fail2ban: systemd support
- upgrade fail2ban to 0.9
- override systemd to enable python support and include sqlite3 module
- make fail2ban enablable
2014-08-08 00:10:19 +02:00
Shea Levy
b3cfb9084b Get all lib functions from lib, not pkgs.lib, in modules 2014-07-02 12:28:18 -04:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Eelco Dolstra
2bb8d963b1 Die tabs die 2014-04-09 00:17:16 +02:00
Eelco Dolstra
e09250d41c Disable allowUnfree by default
Fixes #2134.
2014-04-09 00:09:31 +02:00
Alexei Robyn
6d80803e66 Adds a service for haveged, the entropy daemon
Includes configuration option for the threshold beneath which to refill
the entropy pool - defaults to 1024 bits as this is the number used in
other distro's existing service files I looked at.
2014-01-17 22:10:52 +11:00
Eelco Dolstra
14018c2de1 fail2ban: Fix preStart action
Creating /run/fail2ban didn't work since it didn't have write
permission to /run.  Now it does.

Reported by Thomas Bereknyei.
2013-12-11 21:16:58 +01:00
Eelco Dolstra
244cf195c8 Use the "assertions" option instead of mkAssert 2013-10-30 18:47:44 +01:00
Eelco Dolstra
7c7bfa817a fail2ban: Update to 0.8.10
Also fix random start failures due to a race between the fail2ban
server and the postStart script.
2013-10-16 10:03:43 +02:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00