Thomas Gerbet
deed6fb8f3
Merge pull request #277626 from nbraud/nixos/pam/ssh-agent-auth-31611-fix
...
nixos/pam: Use secure default for `sshAgentAuth.authorizedKeysFiles`
2024-04-28 09:24:38 +02:00
Vir Chaudhury
4ca92fb6ec
nixos/isolate: init module
2024-04-22 10:19:09 +08:00
Victor Engmark
c11815167f
nixos/duosec: Split mkdir
mode into chmod
command for clarity
...
As recommended by ShellCheck
<https://github.com/koalaman/shellcheck/wiki/SC2174 >.
2024-04-22 01:40:55 +10:00
stuebinm
6afb255d97
nixos: remove all uses of lib.mdDoc
...
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
2024-04-13 10:07:35 -07:00
Bjørn Forsman
a29010fe79
nixos: improve many 'enable' descriptions
2024-04-09 07:10:17 +02:00
Noah S-C
5c4858ad7b
More specific link to tag spec
...
Co-authored-by: Aleksana <alexander.huang.y@gmail.com>
2024-04-03 17:52:28 +01:00
Noah Santschi-Cooney
1a5acce391
nixos/sudo: update command options enum for newer sudo version
...
The enum of allowed command options (NOPASSWD, NOEXEC etc) had not been updated when bumping sudo version.
MAIL/NOMAIL were added in [1.8.13](https://www.sudo.ws/releases/legacy/#1.8.13 ), FOLLOW/NOFOLLOW were added in [1.8.15](https://www.sudo.ws/releases/legacy/#1.8.15 ) and INTERCEPT/NOINTERCEPT in [1.9.8](https://www.sudo.ws/releases/stable/#1.9.8 )
2024-04-02 15:15:53 +01:00
Janne Heß
fcc95ff817
treewide: Fix all Nix ASTs in all markdown files
...
This allows for correct highlighting and maybe future automatic
formatting. The AST was verified to work with nixfmt only.
2024-03-28 09:28:12 +01:00
Nick Cao
cee0d0bac7
nixos/pam: use services.fprintd.package for fprintd rule
2024-03-22 20:14:49 -04:00
Adam C. Stephens
b52452f8c7
Merge pull request #291951 from amarshall/zfs-pkgs-renaming
...
zfs: rename zfsStable -> zfs_2_2; zfsUnstable -> zfs_unstable; remove enableUnstable option in favor of package
2024-03-01 10:09:12 -05:00
K900
8be79e54c5
nixos/pam/kwallet: rename option, allow setting package
2024-02-28 18:49:33 +03:00
Andrew Marshall
2e36c49949
nixos/pam: Do not incorrectly use zfs.enableUnstable in assertion
...
`zfs.enableUnstable` only has an effect if `zfs.enabled = true`, so only
require `zfs.enabled` to be true here.
2024-02-27 18:46:00 -05:00
Ryan Lahfa
d9e7a2a88a
Merge pull request #286857 from RaitoBezarius/cacerts
...
nixos/security/ca: enable support for compatibility bundles
2024-02-11 19:44:02 +01:00
Raito Bezarius
19159a2349
nixos/security/ca: enable support for compatibility bundles
...
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use
our NixOS CA bundle.
For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional
trust rules.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-02-11 17:51:00 +01:00
Raito Bezarius
2d78f55438
pam_usb, nixos/pam-usb: drop
...
`security.pam.usb` is broken anyway and upstream has abandoned the software.
2024-02-08 02:59:45 +01:00
Sandro
4494fcaab7
nixos/acme: default to lets encrypt production URL instead of null, mention lets encrypt staging URI ( #270221 )
2024-02-06 01:51:09 +01:00
Rhys Davies
d102910f47
nixos/pam: Add pam_intune
2024-02-02 10:01:52 +13:00
Pierre Bourdon
3484985991
Merge pull request #285587 from edef1c/wrapper-cve-2023-6246
...
nixos/modules/security/wrappers: limit argv0 to 512 bytes
2024-02-01 19:18:45 +01:00
edef
b4c9840652
nixos/modules/security/wrappers: limit argv0 to 512 bytes
...
This mitigates CVE-2023-6246, crucially without a mass-rebuild.
Change-Id: I762a0d489ade88dafd3775d54a09f555dc8c2527
2024-02-01 18:16:55 +00:00
Adam Stephens
75ec325cb9
nixos/pam: remove pam_cgfs
...
pam_cgfs is a cgroups-v1 pam module. Verified with upstream that
this module no longer necessary on cgroups-v2 systems.
2024-01-31 17:19:23 -05:00
éclairevoyant
b43dcaf48f
nixos/acme: fix assertion for renamed option
2024-01-19 16:28:56 -05:00
mian | mian
fbe9d95ed9
fix semi-colon missing
2024-01-18 16:31:54 +08:00
nicoo
bd6966bc4a
nixos/pam: Secure default for sshAgentAuth.authorizedKeysFiles
...
Closes #31611
2024-01-12 13:39:08 +00:00
Peder Bergebakken Sundt
dff635f38d
Merge pull request #243169 from 2xsaiko/outgoing/krb5
...
nixos/krb5: cleanup, fix and RFC42-ify
2024-01-10 21:06:15 +01:00
nicoo
0e5c95035d
nixos/pam: Fix use of renamed enableSSHAgentAuth
option
2024-01-08 18:13:46 +00:00
Maciej Krüger
b5b2f6bec4
Merge pull request #277620 from nbraud/nixos/pam/ssh-agent-auth-31611
...
nixos/pam: Add option for ssh-agent auth's trusted authorized_keys files
2024-01-08 17:42:02 +01:00
Maciej Krüger
c931d73fba
Merge pull request #276499 from nbraud/nixos/pam/ssh-agent-auth
...
nixos/pam: Add assertion for SSH-agent auth
2024-01-07 13:54:27 +01:00
nicoo
2eac5106f1
nixos/sudo: Remove unused enableSSHAgentAuth
let-binding
2024-01-04 17:30:09 +00:00
nicoo
9ed1423dcf
nixos/pam: Warn on insecure sshAgentAuth
configurations
2024-01-04 17:30:09 +00:00
nicoo
822c0a86bd
nixos/pam: Add sshAgentAuth.authorizedKeysFiles
option
2024-01-03 14:49:36 +00:00
nicoo
a46ea51ca3
nixos/pam: Rename option enableSSHAgentAuth
to sshAgentAuth.enable
2024-01-03 14:49:36 +00:00
Maciej Krüger
4f9e98905e
nixos/auditd: fix typo
...
Would otherwise fail with
```
error: A definition for option `systemd.services.auditd.conflicts."[definition 1-entry 1]"' is not of type `string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)'. Definition values:
- In `/nix/store/x2khl2yx0vz2i357x7mz5xm1kagql8ag-source/nixos/modules/security/auditd.nix': "shutdown.target "
```
2024-01-01 17:28:46 +01:00
nicoo
607679c6d3
nixos/pam: Assert that authorizedKeysFiles
is non-empty when using pam_ssh_agent_auth
2023-12-30 22:19:38 +00:00
nikstur
d0014a531e
nixos/wrappers: order service after sysusers service
2023-12-29 03:41:45 +01:00
nikstur
65ff518a0d
nixos/ipa: replace activationScript
...
Replaced with a dedicated systemd service.
2023-12-29 03:41:45 +01:00
nikstur
c9569af3e0
Merge pull request #271326 from philiptaron/shutdown.target
...
treewide: depend on `shutdown.target` if `DefaultDependencies=no` in almost every case
2023-12-27 08:33:26 +01:00
Sandro Jäckel
35ca689119
nixos/wrapper: add basename of the wrapped program to the wrappers name to easily identify it
...
Also fix the comment with test instructions
2023-12-24 20:36:12 +01:00
nicoo
1e9e8a0db0
nixos/sudo-rs: Removed unused let-binding
...
Leftover from bcc2d1238a
2023-12-24 13:58:08 +00:00
Marco Rebhan
5ee94c0170
nixos/krb5: add h7x4 as maintainer
2023-12-21 11:38:22 +01:00
Marco Rebhan
a4a9be35f4
nixos/krb5: add myself as maintainer for module & tests
2023-12-21 11:38:18 +01:00
Marco Rebhan
fed77d1705
nixos/krb5: move to security.krb5
2023-12-21 11:35:26 +01:00
pennae
90c53f5341
Merge pull request #270224 from SuperSandro2000/patch-2
...
nixos/acme: add syntax highlighting to code blocks
2023-12-11 09:03:32 +01:00
Sandro
5a64fb2799
nixos/acme: add syntax highlighting to code blocks
2023-12-10 19:59:22 +01:00
Philip Taron
a7a5b2eca1
nixos/suid-sgid-wrappers: ensure correct ordering w.r.t. shutdown.target
2023-11-30 15:03:56 -08:00
Philip Taron
d7ab46ed87
nixos/duosec: ensure correct ordering w.r.t. shutdown.target
2023-11-30 15:02:51 -08:00
Philip Taron
407ef67228
nixos/auditd: ensure correct ordering w.r.t. shutdown.target
...
This looks like it's got a few other idiosyncrasies, but I'll leave it
alone for now.
2023-11-30 15:00:39 -08:00
Philip Taron
454f3cb58d
nixos/apparmor: ensure correct ordering w.r.t. shutdown.target
2023-11-30 14:57:59 -08:00
Weijia Wang
feeae486de
Merge pull request #261702 from h7x4/replace-mkoption-with-mkpackageoption
...
treewide: use `mkPackageOption`
2023-11-30 02:49:30 +01:00
h7x4
0a37316d6c
treewide: use mkPackageOption
...
This commit replaces a lot of usages of `mkOption` with the package
type, to be `mkPackageOption`, in order to reduce the amount of code.
2023-11-27 01:28:36 +01:00
nicoo
bcc2d1238a
nixos/sudo-rs: Move support for pam_ssh_agent_auth(8)
to PAM's NixOS module
...
Similar to delroth's suggestion in #262790 .
2023-11-25 14:11:25 +00:00