Commit Graph

977 Commits

Author SHA1 Message Date
éclairevoyant
7d8742da87
treewide: fix mkEnableOption usage 2024-06-14 02:41:42 -04:00
Stéphan Kochen
d1f07e6382 nixos/acme: allow setting security.acme.defaults.server = null to keep old accounts directory
The accounts directory is based on the hash of the settings.

https://github.com/NixOS/nixpkgs/pull/270221 changed the  default of
security.acme.defaults.server from null to the default letsencrypt URL
however as an unwanted side effect this means the accounts directory
changes and the ACME module will create a new a new account.

This can cause issues with people using CAA records that pin the
account ID or people who have datacenter-scale NixOS deployments

We allow setting this option to null again for people who want
to keep the old account and migrate at their own leisure.

Fixes https://github.com/NixOS/nixpkgs/issues/316608

Co-authored-by: Arian van Putten <arian.vanputten@gmail.com>
2024-06-04 20:09:46 +02:00
aszlig
e4bd1e8f92
nixos/confinement: Use prio 100 for RootDirectory
One of the module that already supports the systemd-confinement module
is public-inbox. However with the changes to support DynamicUser and
ProtectSystem, the module will now fail at runtime if confinement is
enabled (it's optional and you'll need to override it via another
module).

The reason is that the RootDirectory is set to /var/empty in the
public-inbox module, which doesn't work well with the InaccessiblePaths
directive we now use to support DynamicUser/ProtectSystem.

To make this issue more visible, I decided to just change the priority
of the RootDirectory option definiton the default override priority so
that whenever another different option is defined, we'll get a conflict
at evaluation time.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:41 +02:00
aszlig
0a9cecc35a
nixos/systemd-confinement: Make / read-only
Our more thorough parametrised tests uncovered that with the changes for
supporting DynamicUser, we now have the situation that for static users
the root directory within the confined environment is now writable for
the user in question.

This is obviously not what we want and I'd consider that a regression.
However while discussing this with @ju1m and my suggestion being to
set TemporaryFileSystem to "/" (as we had previously), they had an even
better idea[1]:

> The goal is to deny write access to / to non-root users,
>
>   * TemporaryFileSystem=/ gives us that through the ownership of / by
>     root (instead of the service's user inherited from
>     RuntimeDirectory=).
>   * ProtectSystem=strict gives us that by mounting / read-only (while
>     keeping its ownership to the service's user).
>
> To avoid the incompatibilities of TemporaryFileSystem=/ mentioned
> above, I suggest to mount / read-only in all cases with
> ReadOnlyPaths = [ "+/" ]:
>
>   ...
>
> I guess this would require at least two changes to the current tests:
>
>   1. to no longer expect root to be able to write to some paths (like
>      /bin) (at least not without first remounting / in read-write
>      mode).
>   2. to no longer expect non-root users to fail to write to certain
>      paths with a "permission denied" error code, but with a
>      "read-only file system" error code.

I like the solution with ReadOnlyPaths even more because it further
reduces the attack surface if the user is root. In chroot-only mode this
is especially useful, since if there are no other bind-mounted paths
involved in the unit configuration, the whole file system within the
confined environment is read-only.

[1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:40 +02:00
Julien Moutinho
0a5542c766
nixos/systemd-confinement: support ProtectSystem=/DynamicUser=
See https://discourse.nixos.org/t/hardening-systemd-services/17147/14
2024-05-13 00:40:25 +02:00
Thomas Gerbet
deed6fb8f3
Merge pull request #277626 from nbraud/nixos/pam/ssh-agent-auth-31611-fix
nixos/pam: Use secure default for `sshAgentAuth.authorizedKeysFiles`
2024-04-28 09:24:38 +02:00
Vir Chaudhury
4ca92fb6ec nixos/isolate: init module 2024-04-22 10:19:09 +08:00
Victor Engmark
c11815167f nixos/duosec: Split mkdir mode into chmod command for clarity
As recommended by ShellCheck
<https://github.com/koalaman/shellcheck/wiki/SC2174>.
2024-04-22 01:40:55 +10:00
stuebinm
6afb255d97 nixos: remove all uses of lib.mdDoc
these changes were generated with nixq 0.0.2, by running

  nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
  nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
  nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix

two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.

Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
2024-04-13 10:07:35 -07:00
Bjørn Forsman
a29010fe79 nixos: improve many 'enable' descriptions 2024-04-09 07:10:17 +02:00
Noah S-C
5c4858ad7b
More specific link to tag spec
Co-authored-by: Aleksana <alexander.huang.y@gmail.com>
2024-04-03 17:52:28 +01:00
Noah Santschi-Cooney
1a5acce391
nixos/sudo: update command options enum for newer sudo version
The enum of allowed command options (NOPASSWD, NOEXEC etc) had not been updated when bumping sudo version.
MAIL/NOMAIL were added in [1.8.13](https://www.sudo.ws/releases/legacy/#1.8.13), FOLLOW/NOFOLLOW were added in [1.8.15](https://www.sudo.ws/releases/legacy/#1.8.15) and INTERCEPT/NOINTERCEPT in [1.9.8](https://www.sudo.ws/releases/stable/#1.9.8)
2024-04-02 15:15:53 +01:00
Janne Heß
fcc95ff817 treewide: Fix all Nix ASTs in all markdown files
This allows for correct highlighting and maybe future automatic
formatting. The AST was verified to work with nixfmt only.
2024-03-28 09:28:12 +01:00
Nick Cao
cee0d0bac7
nixos/pam: use services.fprintd.package for fprintd rule 2024-03-22 20:14:49 -04:00
Adam C. Stephens
b52452f8c7
Merge pull request #291951 from amarshall/zfs-pkgs-renaming
zfs: rename zfsStable -> zfs_2_2; zfsUnstable -> zfs_unstable; remove enableUnstable option in favor of package
2024-03-01 10:09:12 -05:00
K900
8be79e54c5 nixos/pam/kwallet: rename option, allow setting package 2024-02-28 18:49:33 +03:00
Andrew Marshall
2e36c49949 nixos/pam: Do not incorrectly use zfs.enableUnstable in assertion
`zfs.enableUnstable` only has an effect if `zfs.enabled = true`, so only
require `zfs.enabled` to be true here.
2024-02-27 18:46:00 -05:00
Ryan Lahfa
d9e7a2a88a
Merge pull request #286857 from RaitoBezarius/cacerts
nixos/security/ca: enable support for compatibility bundles
2024-02-11 19:44:02 +01:00
Raito Bezarius
19159a2349 nixos/security/ca: enable support for compatibility bundles
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use
our NixOS CA bundle.

For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional
trust rules.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-02-11 17:51:00 +01:00
Raito Bezarius
2d78f55438 pam_usb, nixos/pam-usb: drop
`security.pam.usb` is broken anyway and upstream has abandoned the software.
2024-02-08 02:59:45 +01:00
Sandro
4494fcaab7
nixos/acme: default to lets encrypt production URL instead of null, mention lets encrypt staging URI (#270221) 2024-02-06 01:51:09 +01:00
Rhys Davies
d102910f47
nixos/pam: Add pam_intune 2024-02-02 10:01:52 +13:00
Pierre Bourdon
3484985991
Merge pull request #285587 from edef1c/wrapper-cve-2023-6246
nixos/modules/security/wrappers: limit argv0 to 512 bytes
2024-02-01 19:18:45 +01:00
edef
b4c9840652 nixos/modules/security/wrappers: limit argv0 to 512 bytes
This mitigates CVE-2023-6246, crucially without a mass-rebuild.

Change-Id: I762a0d489ade88dafd3775d54a09f555dc8c2527
2024-02-01 18:16:55 +00:00
Adam Stephens
75ec325cb9
nixos/pam: remove pam_cgfs
pam_cgfs is a cgroups-v1 pam module. Verified with upstream that
this module no longer necessary on cgroups-v2 systems.
2024-01-31 17:19:23 -05:00
éclairevoyant
b43dcaf48f
nixos/acme: fix assertion for renamed option 2024-01-19 16:28:56 -05:00
mian | mian
fbe9d95ed9
fix semi-colon missing 2024-01-18 16:31:54 +08:00
nicoo
bd6966bc4a nixos/pam: Secure default for sshAgentAuth.authorizedKeysFiles
Closes #31611
2024-01-12 13:39:08 +00:00
Peder Bergebakken Sundt
dff635f38d
Merge pull request #243169 from 2xsaiko/outgoing/krb5
nixos/krb5: cleanup, fix and RFC42-ify
2024-01-10 21:06:15 +01:00
nicoo
0e5c95035d nixos/pam: Fix use of renamed enableSSHAgentAuth option 2024-01-08 18:13:46 +00:00
Maciej Krüger
b5b2f6bec4
Merge pull request #277620 from nbraud/nixos/pam/ssh-agent-auth-31611
nixos/pam: Add option for ssh-agent auth's trusted authorized_keys files
2024-01-08 17:42:02 +01:00
Maciej Krüger
c931d73fba
Merge pull request #276499 from nbraud/nixos/pam/ssh-agent-auth
nixos/pam: Add assertion for SSH-agent auth
2024-01-07 13:54:27 +01:00
nicoo
2eac5106f1 nixos/sudo: Remove unused enableSSHAgentAuth let-binding 2024-01-04 17:30:09 +00:00
nicoo
9ed1423dcf nixos/pam: Warn on insecure sshAgentAuth configurations 2024-01-04 17:30:09 +00:00
nicoo
822c0a86bd nixos/pam: Add sshAgentAuth.authorizedKeysFiles option 2024-01-03 14:49:36 +00:00
nicoo
a46ea51ca3 nixos/pam: Rename option enableSSHAgentAuth to sshAgentAuth.enable 2024-01-03 14:49:36 +00:00
Maciej Krüger
4f9e98905e
nixos/auditd: fix typo
Would otherwise fail with

```
       error: A definition for option `systemd.services.auditd.conflicts."[definition 1-entry 1]"' is not of type `string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)'. Definition values:
       - In `/nix/store/x2khl2yx0vz2i357x7mz5xm1kagql8ag-source/nixos/modules/security/auditd.nix': "shutdown.target "
```
2024-01-01 17:28:46 +01:00
nicoo
607679c6d3 nixos/pam: Assert that authorizedKeysFiles is non-empty when using pam_ssh_agent_auth 2023-12-30 22:19:38 +00:00
nikstur
d0014a531e nixos/wrappers: order service after sysusers service 2023-12-29 03:41:45 +01:00
nikstur
65ff518a0d nixos/ipa: replace activationScript
Replaced with a dedicated systemd service.
2023-12-29 03:41:45 +01:00
nikstur
c9569af3e0
Merge pull request #271326 from philiptaron/shutdown.target
treewide: depend on `shutdown.target` if `DefaultDependencies=no` in almost every case
2023-12-27 08:33:26 +01:00
Sandro Jäckel
35ca689119
nixos/wrapper: add basename of the wrapped program to the wrappers name to easily identify it
Also fix the comment with test instructions
2023-12-24 20:36:12 +01:00
nicoo
1e9e8a0db0 nixos/sudo-rs: Removed unused let-binding
Leftover from bcc2d1238a
2023-12-24 13:58:08 +00:00
Marco Rebhan
5ee94c0170
nixos/krb5: add h7x4 as maintainer 2023-12-21 11:38:22 +01:00
Marco Rebhan
a4a9be35f4
nixos/krb5: add myself as maintainer for module & tests 2023-12-21 11:38:18 +01:00
Marco Rebhan
fed77d1705
nixos/krb5: move to security.krb5 2023-12-21 11:35:26 +01:00
pennae
90c53f5341
Merge pull request #270224 from SuperSandro2000/patch-2
nixos/acme: add syntax highlighting to code blocks
2023-12-11 09:03:32 +01:00
Sandro
5a64fb2799
nixos/acme: add syntax highlighting to code blocks 2023-12-10 19:59:22 +01:00
Philip Taron
a7a5b2eca1
nixos/suid-sgid-wrappers: ensure correct ordering w.r.t. shutdown.target 2023-11-30 15:03:56 -08:00
Philip Taron
d7ab46ed87
nixos/duosec: ensure correct ordering w.r.t. shutdown.target 2023-11-30 15:02:51 -08:00