Commit Graph

1057 Commits

Author SHA1 Message Date
nicoo
f6c5531461
nixos: Don't set !allowSubstitutes (#314664)
It is set by `runCommandLocal` and prevents fetching the build output
from `cache.nixos.org` or another trusted substituter.
2024-12-12 18:26:24 +00:00
Arne Keller
1a0bc2c68d
nixos/rtkit: Add option for rtkit-daemon command-line args (#299696) 2024-12-11 23:00:50 +01:00
Bjørn Forsman
886de305c8 nixos/rtkit: mention pipewire in docstring
I don't know the reason for rtkit only getting enabled by
hardware.pulseaudio.enable and not services.pipewire.enable, as they
both use it to get real-time priority, but we can at least help users by
mentioning pipewire in the rtkit option.
2024-12-11 20:52:13 +01:00
Silvan Mosberger
4f0dadbf38 treewide: format all inactive Nix files
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.

Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.

A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.

This commit was automatically created and can be verified using

    nix-build a08b3a4d19.tar.gz \
      --argstr baseRev b32a094368
    result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
Felix Buehler
5c7e172a28 nixos/security.sudo: remove with lib; 2024-12-08 13:21:49 +01:00
Felix Buehler
430f4e9c5e nixos/security.pam: remove with lib; 2024-12-08 13:21:49 +01:00
Felix Buehler
97b9c7bfcc nixos/security.lockKernelModules: remove with lib; 2024-12-08 13:21:49 +01:00
Felix Buehler
264f1b4941 nixos/security.googleOsLogin: remove with lib; 2024-12-08 13:21:48 +01:00
Felix Buehler
89f9d95e02 nixos/security.duosec: remove with lib; 2024-12-08 13:21:48 +01:00
Felix Buehler
6f58cc224f nixos/security.doas: remove with lib; 2024-12-08 13:21:48 +01:00
Felix Buehler
011b094cdd nixos/security.chromiumSuidSandbox: remove with lib; 2024-12-08 13:21:48 +01:00
Felix Buehler
8d0fd73946 nixos/security.pki: remove with lib; 2024-12-08 13:21:48 +01:00
Masum Reza
c584da6436
Apparmor: Adopt package, nixos module and nixos tests (#359817) 2024-12-08 09:56:55 +05:30
Thomas Gerbet
6dadace420
nixos/wrapper: pass trusted argv[0] to the privileged executable (#285588) 2024-12-07 11:54:27 +01:00
Rodney Lorrimar
e2139b903b
nixos/rtkit: Add option for rtkit-daemon command-line args 2024-12-06 12:43:54 +08:00
Colin
ca5f6df0c2
nixos/pam: replace apparmor warnings with assertions (#332119) 2024-12-04 19:06:22 +00:00
misuzu
f608d1b3bc
nixos/acme: fix cert ownership assert for string SupplementaryGroups (#356064) 2024-12-01 16:31:01 +02:00
Grimmauld
ceaeeb47cb
nixos/apparmor: adopt 2024-11-29 19:38:20 +01:00
Felix Buehler
3c80b14a81 nixos/security.please: remove with lib; 2024-11-27 22:26:57 +01:00
Felix Buehler
a62e66394b nixos/security.audit: remove with lib; 2024-11-27 22:26:57 +01:00
Felix Buehler
236ed7869d nixos/security.apparmor: remove with lib; 2024-11-27 22:26:57 +01:00
Franz Pletz
6473ecdc08
nixos/acme: Set /var/lib/acme permissions to 755 (#353659) 2024-11-27 14:51:32 +01:00
Malte Voos
d9bf91700e nixos/acme: make address families in systemd service less restrictive
This change is to support LEGO's capability to spawn an external process that
solves the DNS-01 challenge. In particular, this enables a setup where LEGO
runs a shell script that uses nsd-control to add an appropriate zone to a
local NSD instance.
2024-11-19 01:40:59 +01:00
ThinkChaos
b2e7be76ba
nixos/acme: fix cert ownership assert for string SupplementaryGroups 2024-11-14 19:19:46 -05:00
John Titor
53712fa4a1
nixos/soteria: init module 2024-11-14 23:23:20 +05:30
K900
871087c18d
nixos/acme: do not limit credentials functionality to DNS/S3 config (#348344) 2024-11-11 01:43:53 +03:00
K900
0453fe2395
{apache,caddy,nginx}: not "before" ACME certs using DNS validation (#336412) 2024-11-08 18:50:28 +03:00
ThinkChaos
1bd7f1374d
nixos/acme: use non deprecated CLI flag for dnsPropagationCheck 2024-11-07 20:19:12 -05:00
ThinkChaos
3c2e82337d
nixos/web-servers: assert ACME cert access via service user and groups
Allows giving access using SupplementaryGroups.
2024-11-07 20:19:12 -05:00
Yuriy Taraday
64a6e8292a nixos/acme: Set /var/lib/acme permissions to 755
It was being created with the default home permissions of 700, and then
set to 755 at runtime by something either some script or systemd as
part of service startup.

It worked fine without sysusers, but when it's enabed with:

    systemd.sysusers.enable = true;

systemd-tmpfiles is resetting permissions on each activation, which
breaks, for example, nginx reload, because it cannot load certificates
anymore, because it doesn't have any access to `/var/lib/acme`.

Fix this by setting `homeMode = "755";` explicitely so that it's set to
the final value from the beginning.
2024-11-04 16:04:56 +01:00
github-actions[bot]
a0e96c5d1c
Merge master into staging-next 2024-10-29 06:05:06 +00:00
Sandro Jäckel
1a6638aeb1
nixos/ca: fix description formatting
Right now most of the text is treated as a code block
2024-10-28 15:03:11 +01:00
Fabián Heredia Montiel
34b62f7c47 Merge remote-tracking branch 'origin/master' into staging-next 2024-10-27 16:10:56 -06:00
Aleksana
a56b4f3e50
nixos/wrappers: add enable switch (#350233) 2024-10-27 18:34:01 +08:00
nikstur
7fad2c2e39 nixos/wrappers: add enable switch
Add enable switch to make it possible to disable all wrappers but then
also re-enable all at once by forcing the option to be true.

By default the wrappers are enabled and thus the default behaviour
doesn't change.
2024-10-21 14:41:17 +02:00
github-actions[bot]
8164a7aa6d
Merge master into staging-next 2024-10-21 00:14:52 +00:00
Piotr Dobrowolski
6e6fc7ca26
nixos/acme: do not limit credentials functionality to DNS/S3 config 2024-10-13 22:48:14 +02:00
github-actions[bot]
144082b47e
Merge staging-next into staging 2024-10-10 18:05:19 +00:00
Mikael Voss
7b3261b5a6
nixos/pam: Strip config in documentation and messages
config can be assumed as the options root and is therefore redundant.
2024-10-10 16:07:36 +02:00
Franz Pletz
262f0e36d5
nixos/pam: add pam_rssh support (#336609) 2024-10-10 15:11:28 +02:00
github-actions[bot]
483deb3a04
Merge staging-next into staging 2024-10-04 12:06:05 +00:00
h7x4
d783411040
nixos: improve systemd slice names (#345990) 2024-10-04 12:08:36 +02:00
github-actions[bot]
ae87c79207
Merge staging-next into staging 2024-10-03 18:05:09 +00:00
Bjørn Forsman
48908e5b86 nixos: improve systemd slice names
Following
https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Description=,
update slice names to be short, descriptive and capitalized.
2024-10-02 20:24:13 +02:00
Peder Bergebakken Sundt
3100acba08 treewide: \xc2\xa0 ->
I have no idea what this escape sequence even is, but it breaks the nix parser with cryptic errors if not used in a comment.
A friend let me know MacOS is prone to input weird spaces, not sure if that is the source.

Candidates were located and created with:

    chr="$(echo -e '\xc2\xa0')"; rg -F "$chr" -l | xe sd -F "$chr" " "

There are some examples left, most being example output from `tree` in various markdown documents, some patches which we can't really touch, and `pkgs/tools/nix/nixos-render-docs/src/tests/test_commonmark.py` which I'm not sure if should be addressed
2024-10-02 15:33:06 +02:00
oxalica
f534f74249
nixos/security/wrappers: fix fuse path 2024-09-30 15:26:51 -04:00
Felix Buehler
b0d554537c nixos/security.pam: remove with lib; 2024-09-15 10:43:46 +02:00
Felix Buehler
c99cbe65c4 nixos/security: remove with lib; 2024-09-15 10:43:46 +02:00
Mikael Voss
972976d903
nixos/pam: add pam_rssh support 2024-09-13 13:04:39 +02:00
Peder Bergebakken Sundt
c3dabc54aa
security/dhparams: shellcheck fixes (#340492) 2024-09-13 02:52:09 +02:00