Commit Graph

1036 Commits

Author SHA1 Message Date
Felix Buehler
3c80b14a81 nixos/security.please: remove with lib; 2024-11-27 22:26:57 +01:00
Felix Buehler
a62e66394b nixos/security.audit: remove with lib; 2024-11-27 22:26:57 +01:00
Felix Buehler
236ed7869d nixos/security.apparmor: remove with lib; 2024-11-27 22:26:57 +01:00
Franz Pletz
6473ecdc08
nixos/acme: Set /var/lib/acme permissions to 755 (#353659) 2024-11-27 14:51:32 +01:00
Malte Voos
d9bf91700e nixos/acme: make address families in systemd service less restrictive
This change is to support LEGO's capability to spawn an external process that
solves the DNS-01 challenge. In particular, this enables a setup where LEGO
runs a shell script that uses nsd-control to add an appropriate zone to a
local NSD instance.
2024-11-19 01:40:59 +01:00
John Titor
53712fa4a1
nixos/soteria: init module 2024-11-14 23:23:20 +05:30
K900
871087c18d
nixos/acme: do not limit credentials functionality to DNS/S3 config (#348344) 2024-11-11 01:43:53 +03:00
K900
0453fe2395
{apache,caddy,nginx}: not "before" ACME certs using DNS validation (#336412) 2024-11-08 18:50:28 +03:00
ThinkChaos
1bd7f1374d
nixos/acme: use non deprecated CLI flag for dnsPropagationCheck 2024-11-07 20:19:12 -05:00
ThinkChaos
3c2e82337d
nixos/web-servers: assert ACME cert access via service user and groups
Allows giving access using SupplementaryGroups.
2024-11-07 20:19:12 -05:00
Yuriy Taraday
64a6e8292a nixos/acme: Set /var/lib/acme permissions to 755
It was being created with the default home permissions of 700, and then
set to 755 at runtime by something either some script or systemd as
part of service startup.

It worked fine without sysusers, but when it's enabed with:

    systemd.sysusers.enable = true;

systemd-tmpfiles is resetting permissions on each activation, which
breaks, for example, nginx reload, because it cannot load certificates
anymore, because it doesn't have any access to `/var/lib/acme`.

Fix this by setting `homeMode = "755";` explicitely so that it's set to
the final value from the beginning.
2024-11-04 16:04:56 +01:00
github-actions[bot]
a0e96c5d1c
Merge master into staging-next 2024-10-29 06:05:06 +00:00
Sandro Jäckel
1a6638aeb1
nixos/ca: fix description formatting
Right now most of the text is treated as a code block
2024-10-28 15:03:11 +01:00
Fabián Heredia Montiel
34b62f7c47 Merge remote-tracking branch 'origin/master' into staging-next 2024-10-27 16:10:56 -06:00
Aleksana
a56b4f3e50
nixos/wrappers: add enable switch (#350233) 2024-10-27 18:34:01 +08:00
nikstur
7fad2c2e39 nixos/wrappers: add enable switch
Add enable switch to make it possible to disable all wrappers but then
also re-enable all at once by forcing the option to be true.

By default the wrappers are enabled and thus the default behaviour
doesn't change.
2024-10-21 14:41:17 +02:00
github-actions[bot]
8164a7aa6d
Merge master into staging-next 2024-10-21 00:14:52 +00:00
Piotr Dobrowolski
6e6fc7ca26
nixos/acme: do not limit credentials functionality to DNS/S3 config 2024-10-13 22:48:14 +02:00
github-actions[bot]
144082b47e
Merge staging-next into staging 2024-10-10 18:05:19 +00:00
Mikael Voss
7b3261b5a6
nixos/pam: Strip config in documentation and messages
config can be assumed as the options root and is therefore redundant.
2024-10-10 16:07:36 +02:00
Franz Pletz
262f0e36d5
nixos/pam: add pam_rssh support (#336609) 2024-10-10 15:11:28 +02:00
github-actions[bot]
483deb3a04
Merge staging-next into staging 2024-10-04 12:06:05 +00:00
h7x4
d783411040
nixos: improve systemd slice names (#345990) 2024-10-04 12:08:36 +02:00
github-actions[bot]
ae87c79207
Merge staging-next into staging 2024-10-03 18:05:09 +00:00
Bjørn Forsman
48908e5b86 nixos: improve systemd slice names
Following
https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Description=,
update slice names to be short, descriptive and capitalized.
2024-10-02 20:24:13 +02:00
Peder Bergebakken Sundt
3100acba08 treewide: \xc2\xa0 ->
I have no idea what this escape sequence even is, but it breaks the nix parser with cryptic errors if not used in a comment.
A friend let me know MacOS is prone to input weird spaces, not sure if that is the source.

Candidates were located and created with:

    chr="$(echo -e '\xc2\xa0')"; rg -F "$chr" -l | xe sd -F "$chr" " "

There are some examples left, most being example output from `tree` in various markdown documents, some patches which we can't really touch, and `pkgs/tools/nix/nixos-render-docs/src/tests/test_commonmark.py` which I'm not sure if should be addressed
2024-10-02 15:33:06 +02:00
oxalica
f534f74249
nixos/security/wrappers: fix fuse path 2024-09-30 15:26:51 -04:00
Felix Buehler
b0d554537c nixos/security.pam: remove with lib; 2024-09-15 10:43:46 +02:00
Felix Buehler
c99cbe65c4 nixos/security: remove with lib; 2024-09-15 10:43:46 +02:00
Mikael Voss
972976d903
nixos/pam: add pam_rssh support 2024-09-13 13:04:39 +02:00
Peder Bergebakken Sundt
c3dabc54aa
security/dhparams: shellcheck fixes (#340492) 2024-09-13 02:52:09 +02:00
phaer
37cf9cbb22
security/dhparams: shellcheck fixes 2024-09-08 12:31:15 +02:00
phaer
22794b93e0
security/acme: shellcheck fixes 2024-09-08 12:29:58 +02:00
Felix Bühler
d7a108054a
nixos/security.acme: remove with lib; (#339101) 2024-09-06 00:08:41 +02:00
r-vdp
38d73e0c07
auditd: add a dependency on systemd-tmpfiles-setup
This is needed so that:
- users have been created (when using systemd-sysusers or userborn)
- /run and /var/run exist
2024-09-05 10:05:18 +02:00
Felix Buehler
03a0f9debe nixos/security.acme: remove with lib; 2024-09-05 00:28:18 +02:00
r-vdp
544c97226d
auditd: remove with lib 2024-09-04 10:00:07 +02:00
r-vdp
0cb37347c6
auditd: format with nixfmt 2024-09-04 10:00:07 +02:00
Philip Taron
117f3ceb51
treewide/nixos: remove with lib; part 1 (#335603) 2024-08-29 15:42:04 -07:00
Felix Buehler
9856183d59 nixos/security.polkit: remove with lib; 2024-08-30 00:30:38 +02:00
Felix Buehler
9dfb6b691d nixos/security.sudo-rs: remove with lib; 2024-08-30 00:10:54 +02:00
Felix Buehler
e32ec19edf nixos/security.pam: remove with lib; 2024-08-22 00:19:00 +02:00
Sandro Jäckel
96790120df
nixos/pam: fix writeFile no longer taking null as an argument warning
> evaluation warning: pkgs.writeText "motd": The second argument should be a string, but it's a null instead, which is deprecated. Use `toString` to convert the value to a string first.
2024-08-09 14:20:47 +02:00
Pratham Patel
4074853391
nixos/pam: kwallet: add the forceRun option 2024-08-01 09:51:31 +05:30
Colin
7306423158
nixos/pam: fully-qualify modulePath
this ensures PAM users always get the intended version of a module when
multiple versions of the same module exist on a system.

most packages which consume `pam` and link against `libpam.so` do so only
to access its API, and not because they care about the specific
`pam_<xyz>.so` modules provided by that `pam`. but when specifying
modules by name only, PAM-capable applications may well load the
`pam_<xyz>.so` from the `pam` they were compiled against instead of the
pam declared in `security.pam.package`. by fully qualifying `modulePath`
we ensure that users can actually swap out pam modules without rebuilding
the world.
2024-07-30 23:53:58 +05:30
Colin
7511ed266c
nixos/pam: add security.pam.package option
this can be used to swap out which pam package is actually used by the
system for things like `pam_limits`, `pam_tty_audit`, etc, without forcing
a mass rebuild the way an overlay would.
2024-07-30 23:53:57 +05:30
Sigmanificient
6dd44107ac treewide: remove unused lib (and other) arguments 2024-07-26 11:18:09 +02:00
Masum Reza
13da3c09fb
Merge pull request #327499 from max-privatevoid/pam-kanidm-package-option
nixos/pam: use Kanidm's package option
2024-07-24 09:24:09 +05:30
Arian van Putten
8afba669e2 nixos/wrappers: use normal mount for /run/wrappers
We want to get rid of specialFileSystems / earlyMountScript eventually and
there is no need to run this before systemd anymore now that
the wrappers themselves are set up in a systemd unit since https://github.com/NixOS/nixpkgs/pull/263203

Also this is needed to make soft-reboot work. We want to make sure
that we remount /run/wrappers with the nosuid bit removed on soft-reboot
but because @earlyMountScript@ happens in initrd, this wouldn't happen
2024-07-20 16:07:43 +02:00
Max
1dd44eaf67 nixos/pam: use Kanidm's package option 2024-07-16 00:39:03 +02:00