Commit Graph

1052 Commits

Author SHA1 Message Date
Felix Buehler
5c7e172a28 nixos/security.sudo: remove with lib; 2024-12-08 13:21:49 +01:00
Felix Buehler
430f4e9c5e nixos/security.pam: remove with lib; 2024-12-08 13:21:49 +01:00
Felix Buehler
97b9c7bfcc nixos/security.lockKernelModules: remove with lib; 2024-12-08 13:21:49 +01:00
Felix Buehler
264f1b4941 nixos/security.googleOsLogin: remove with lib; 2024-12-08 13:21:48 +01:00
Felix Buehler
89f9d95e02 nixos/security.duosec: remove with lib; 2024-12-08 13:21:48 +01:00
Felix Buehler
6f58cc224f nixos/security.doas: remove with lib; 2024-12-08 13:21:48 +01:00
Felix Buehler
011b094cdd nixos/security.chromiumSuidSandbox: remove with lib; 2024-12-08 13:21:48 +01:00
Felix Buehler
8d0fd73946 nixos/security.pki: remove with lib; 2024-12-08 13:21:48 +01:00
Masum Reza
c584da6436
Apparmor: Adopt package, nixos module and nixos tests (#359817) 2024-12-08 09:56:55 +05:30
Thomas Gerbet
6dadace420
nixos/wrapper: pass trusted argv[0] to the privileged executable (#285588) 2024-12-07 11:54:27 +01:00
Colin
ca5f6df0c2
nixos/pam: replace apparmor warnings with assertions (#332119) 2024-12-04 19:06:22 +00:00
misuzu
f608d1b3bc
nixos/acme: fix cert ownership assert for string SupplementaryGroups (#356064) 2024-12-01 16:31:01 +02:00
Grimmauld
ceaeeb47cb
nixos/apparmor: adopt 2024-11-29 19:38:20 +01:00
Felix Buehler
3c80b14a81 nixos/security.please: remove with lib; 2024-11-27 22:26:57 +01:00
Felix Buehler
a62e66394b nixos/security.audit: remove with lib; 2024-11-27 22:26:57 +01:00
Felix Buehler
236ed7869d nixos/security.apparmor: remove with lib; 2024-11-27 22:26:57 +01:00
Franz Pletz
6473ecdc08
nixos/acme: Set /var/lib/acme permissions to 755 (#353659) 2024-11-27 14:51:32 +01:00
Malte Voos
d9bf91700e nixos/acme: make address families in systemd service less restrictive
This change is to support LEGO's capability to spawn an external process that
solves the DNS-01 challenge. In particular, this enables a setup where LEGO
runs a shell script that uses nsd-control to add an appropriate zone to a
local NSD instance.
2024-11-19 01:40:59 +01:00
ThinkChaos
b2e7be76ba
nixos/acme: fix cert ownership assert for string SupplementaryGroups 2024-11-14 19:19:46 -05:00
John Titor
53712fa4a1
nixos/soteria: init module 2024-11-14 23:23:20 +05:30
K900
871087c18d
nixos/acme: do not limit credentials functionality to DNS/S3 config (#348344) 2024-11-11 01:43:53 +03:00
K900
0453fe2395
{apache,caddy,nginx}: not "before" ACME certs using DNS validation (#336412) 2024-11-08 18:50:28 +03:00
ThinkChaos
1bd7f1374d
nixos/acme: use non deprecated CLI flag for dnsPropagationCheck 2024-11-07 20:19:12 -05:00
ThinkChaos
3c2e82337d
nixos/web-servers: assert ACME cert access via service user and groups
Allows giving access using SupplementaryGroups.
2024-11-07 20:19:12 -05:00
Yuriy Taraday
64a6e8292a nixos/acme: Set /var/lib/acme permissions to 755
It was being created with the default home permissions of 700, and then
set to 755 at runtime by something either some script or systemd as
part of service startup.

It worked fine without sysusers, but when it's enabed with:

    systemd.sysusers.enable = true;

systemd-tmpfiles is resetting permissions on each activation, which
breaks, for example, nginx reload, because it cannot load certificates
anymore, because it doesn't have any access to `/var/lib/acme`.

Fix this by setting `homeMode = "755";` explicitely so that it's set to
the final value from the beginning.
2024-11-04 16:04:56 +01:00
github-actions[bot]
a0e96c5d1c
Merge master into staging-next 2024-10-29 06:05:06 +00:00
Sandro Jäckel
1a6638aeb1
nixos/ca: fix description formatting
Right now most of the text is treated as a code block
2024-10-28 15:03:11 +01:00
Fabián Heredia Montiel
34b62f7c47 Merge remote-tracking branch 'origin/master' into staging-next 2024-10-27 16:10:56 -06:00
Aleksana
a56b4f3e50
nixos/wrappers: add enable switch (#350233) 2024-10-27 18:34:01 +08:00
nikstur
7fad2c2e39 nixos/wrappers: add enable switch
Add enable switch to make it possible to disable all wrappers but then
also re-enable all at once by forcing the option to be true.

By default the wrappers are enabled and thus the default behaviour
doesn't change.
2024-10-21 14:41:17 +02:00
github-actions[bot]
8164a7aa6d
Merge master into staging-next 2024-10-21 00:14:52 +00:00
Piotr Dobrowolski
6e6fc7ca26
nixos/acme: do not limit credentials functionality to DNS/S3 config 2024-10-13 22:48:14 +02:00
github-actions[bot]
144082b47e
Merge staging-next into staging 2024-10-10 18:05:19 +00:00
Mikael Voss
7b3261b5a6
nixos/pam: Strip config in documentation and messages
config can be assumed as the options root and is therefore redundant.
2024-10-10 16:07:36 +02:00
Franz Pletz
262f0e36d5
nixos/pam: add pam_rssh support (#336609) 2024-10-10 15:11:28 +02:00
github-actions[bot]
483deb3a04
Merge staging-next into staging 2024-10-04 12:06:05 +00:00
h7x4
d783411040
nixos: improve systemd slice names (#345990) 2024-10-04 12:08:36 +02:00
github-actions[bot]
ae87c79207
Merge staging-next into staging 2024-10-03 18:05:09 +00:00
Bjørn Forsman
48908e5b86 nixos: improve systemd slice names
Following
https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Description=,
update slice names to be short, descriptive and capitalized.
2024-10-02 20:24:13 +02:00
Peder Bergebakken Sundt
3100acba08 treewide: \xc2\xa0 ->
I have no idea what this escape sequence even is, but it breaks the nix parser with cryptic errors if not used in a comment.
A friend let me know MacOS is prone to input weird spaces, not sure if that is the source.

Candidates were located and created with:

    chr="$(echo -e '\xc2\xa0')"; rg -F "$chr" -l | xe sd -F "$chr" " "

There are some examples left, most being example output from `tree` in various markdown documents, some patches which we can't really touch, and `pkgs/tools/nix/nixos-render-docs/src/tests/test_commonmark.py` which I'm not sure if should be addressed
2024-10-02 15:33:06 +02:00
oxalica
f534f74249
nixos/security/wrappers: fix fuse path 2024-09-30 15:26:51 -04:00
Felix Buehler
b0d554537c nixos/security.pam: remove with lib; 2024-09-15 10:43:46 +02:00
Felix Buehler
c99cbe65c4 nixos/security: remove with lib; 2024-09-15 10:43:46 +02:00
Mikael Voss
972976d903
nixos/pam: add pam_rssh support 2024-09-13 13:04:39 +02:00
Peder Bergebakken Sundt
c3dabc54aa
security/dhparams: shellcheck fixes (#340492) 2024-09-13 02:52:09 +02:00
phaer
37cf9cbb22
security/dhparams: shellcheck fixes 2024-09-08 12:31:15 +02:00
phaer
22794b93e0
security/acme: shellcheck fixes 2024-09-08 12:29:58 +02:00
Felix Bühler
d7a108054a
nixos/security.acme: remove with lib; (#339101) 2024-09-06 00:08:41 +02:00
r-vdp
38d73e0c07
auditd: add a dependency on systemd-tmpfiles-setup
This is needed so that:
- users have been created (when using systemd-sysusers or userborn)
- /run and /var/run exist
2024-09-05 10:05:18 +02:00
Felix Buehler
03a0f9debe nixos/security.acme: remove with lib; 2024-09-05 00:28:18 +02:00