Commit Graph

1053 Commits

Author SHA1 Message Date
mib
2e66f109ed nixos/pam: fix typo in fscrypt enable option
mkEnableOption prepends "Whether to enable" to text, so this became
"Whether to enable Enables fscrypt ..."
2023-09-11 12:06:39 +02:00
Pierre Bourdon
bfdf28becf
Merge pull request #251770 from robryk/suidwrapapparm
nixos/security/wrappers: simplifications and a fix for #98863 (respin of #199599)
2023-09-10 09:51:36 +02:00
Oliver Schmidt
e362fe9c6d security/acme: limit concurrent certificate generations
fixes #232505

Implements the new option `security.acme.maxConcurrentRenewals` to limit
the number of certificate generation (or renewal) jobs that can run in
parallel. This avoids overloading the system resources with many
certificates or running into acme registry rate limits and network
timeouts.

Architecture considerations:
- simplicity, lightweight: Concerns have been voiced about making this
  already rather complex module even more convoluted. Additionally,
  locking solutions shall not significantly increase performance and
  footprint of individual job runs.
  To accomodate these concerns, this solution is implemented purely in
  Nix, bash, and using the light-weight `flock` util. To reduce
  complexity, jobs are already assigned their lockfile slot at system
  build time instead of dynamic locking and retrying. This comes at the
  cost of not always maxing out the permitted concurrency at runtime.
- no stale locks: Limiting concurrency via locking mechanism is usually
  approached with semaphores. Unfortunately, both SysV as well as
  POSIX-Semaphores are *not* released when the process currently locking
  them is SIGKILLed. This poses the danger of stale locks staying around
  and certificate renewal being blocked from running altogether.
  `flock` locks though are released when the process holding the file
  descriptor of the lock file is KILLed or terminated.
- lockfile generation: Lock files could either be created at build time
  in the Nix store or at script runtime in a idempotent manner.
  While the latter would be simpler to achieve, we might exceed the number
  of permitted concurrent runs during a system switch: Already running
  jobs are still locked on the existing lock files, while jobs started
  after the system switch will acquire locks on freshly created files,
  not being blocked by the still running services.
  For this reason, locks are generated and managed at runtime in the
  shared state directory `/var/lib/locks/`.

nixos/security/acme: move locks to /run

also, move over permission and directory management to systemd-tmpfiles

nixos/security/acme: fix some linter remarks in my code

there are some remarks left for existing code, not touching that

nixos/security/acme: redesign script locking flow

- get rid of subshell
- provide function for wrapping scripts in a locked environment

nixos/acme: improve visibility of blocking on locks

nixos/acme: add smoke test for concurrency limitation

heavily inspired by m1cr0man

nixos/acme: release notes entry on new concurrency limits

nixos/acme: cleanup, clarifications
2023-09-09 20:13:18 +02:00
nicoo
10b6e8ba21 nixos/sudo: Guard against security.sudo.package = pkgs.sudo-rs;
This is not unlikely to happen, given the enthusiasm shown by some users,
but we are not there yet, and this will save them from breaking their system.
2023-09-04 22:00:00 +00:00
Robert Obryk
c64bbd4466 nixos/security/wrappers: remove all the assertions about readlink(/proc/self/exe)
Given that we are no longer inspecting the target of the /proc/self/exe
symlink, stop asserting that it has any properties. Remove the plumbing
for wrappersDir, which is no longer used.

Asserting that the binary is located in the specific place is no longer
necessary, because we don't rely on that location being writable only by
privileged entities (we used to rely on that when assuming that
readlink(/proc/self/exe) will continue to point at us and when assuming
that the `.real` file can be trusted).

Assertions about lack of write bits on the file were
IMO meaningless since inception: ignoring the Linux's refusal to honor
S[UG]ID bits on files-writeable-by-others, if someone could have
modified the wrapper in a way that preserved the capability or S?ID
bits, they could just remove this check.

Assertions about effective UID were IMO just harmful: if we were
executed without elevation, the caller would expect the result that
would cause in a wrapperless distro: the targets gets executed without
elevation. Due to lack of elevation, that cannot be used to abuse
privileges that the elevation would give.

This change partially fixes #98863 for S[UG]ID wrappers. The issue for
capability wrappers remains.
2023-08-27 14:10:38 +02:00
Robert Obryk
e3550208de nixos/security/wrappers: read capabilities off /proc/self/exe directly
/proc/self/exe is a "fake" symlink. When it's opened, it always opens
the actual file that was execve()d in this process, even if the file was
deleted or renamed; if the file is no longer accessible from the current
chroot/mount namespace it will at the very worst fail and never open the
wrong file. Thus, we can make a much simpler argument that we're reading
capabilities off the correct file after this change (and that argument
doesn't rely on things such as protected_hardlinks being enabled, or no
users being able to write to /run/wrappers, or the verification that the
path readlink returns starts with /run/wrappers/).
2023-08-27 14:10:38 +02:00
Robert Obryk
1bdbc0b0fe nixos/security/wrappers: stop using .real files
Before this change it was crucial that nonprivileged users are unable to
create hardlinks to SUID wrappers, lest they be able to provide a
different `.real` file alongside. That was ensured by not providing a
location writable to them in the /run/wrappers tmpfs, (unless
disabled) by the fs.protected_hardlinks=1 sysctl, and by the explicit
own-path check in the wrapper. After this change, ensuring
that property is no longer important, and the check is most likely
redundant.

The simplification of expectations of the wrapper will make it
easier to remove some of the assertions in the wrapper (which currently
cause the wrapper to fail in no_new_privs environments, instead of
executing the target with non-elevated privileges).

Note that wrappers had to be copied (not symlinked) into /run/wrappers
due to the SUID/capability bits, and they couldn't be hard/softlinks of
each other due to those bits potentially differing. Thus, this change
doesn't increase the amount of memory used by /run/wrappers.

This change removes part of the test that is obsoleted by the removal of
`.real` files.
2023-08-27 14:10:36 +02:00
Robert Obryk
44fde723be nixos/security/wrappers: generate a separate and more complete apparmor policy fragment for each wrapper
This change includes some stuff (e.g. reading of the `.real` file,
execution of the wrapper's target) that belongs to the apparmor policy
of the wrapper. This necessitates making them distinct for each wrapper.
The main reason for this change is as a preparation for making each
wrapper be a distinct binary.
2023-08-27 14:10:07 +02:00
Pierre Bourdon
4428f3a79a
Revert "nixos/security/wrappers: simplifications and a fix for #98863" 2023-08-24 08:35:11 +02:00
Robert Obryk
ff204ca32b nixos/security/wrappers: remove all the assertions about readlink(/proc/self/exe)
Given that we are no longer inspecting the target of the /proc/self/exe
symlink, stop asserting that it has any properties. Remove the plumbing
for wrappersDir, which is no longer used.

Asserting that the binary is located in the specific place is no longer
necessary, because we don't rely on that location being writable only by
privileged entities (we used to rely on that when assuming that
readlink(/proc/self/exe) will continue to point at us and when assuming
that the `.real` file can be trusted).

Assertions about lack of write bits on the file were
IMO meaningless since inception: ignoring the Linux's refusal to honor
S[UG]ID bits on files-writeable-by-others, if someone could have
modified the wrapper in a way that preserved the capability or S?ID
bits, they could just remove this check.

Assertions about effective UID were IMO just harmful: if we were
executed without elevation, the caller would expect the result that
would cause in a wrapperless distro: the targets gets executed without
elevation. Due to lack of elevation, that cannot be used to abuse
privileges that the elevation would give.

This change partially fixes #98863 for S[UG]ID wrappers. The issue for
capability wrappers remains.
2023-08-16 11:33:22 +02:00
Robert Obryk
11ca4dcbb8 nixos/security/wrappers: read capabilities off /proc/self/exe directly
/proc/self/exe is a "fake" symlink. When it's opened, it always opens
the actual file that was execve()d in this process, even if the file was
deleted or renamed; if the file is no longer accessible from the current
chroot/mount namespace it will at the very worst fail and never open the
wrong file. Thus, we can make a much simpler argument that we're reading
capabilities off the correct file after this change (and that argument
doesn't rely on things such as protected_hardlinks being enabled, or no
users being able to write to /run/wrappers, or the verification that the
path readlink returns starts with /run/wrappers/).
2023-08-16 11:33:22 +02:00
Robert Obryk
ec36e0218f nixos/security/wrappers: stop using .real files
Before this change it was crucial that nonprivileged users are unable to
create hardlinks to SUID wrappers, lest they be able to provide a
different `.real` file alongside. That was ensured by not providing a
location writable to them in the /run/wrappers tmpfs, (unless
disabled) by the fs.protected_hardlinks=1 sysctl, and by the explicit
own-path check in the wrapper. After this change, ensuring
that property is no longer important, and the check is most likely
redundant.

The simplification of expectations of the wrapper will make it
easier to remove some of the assertions in the wrapper (which currently
cause the wrapper to fail in no_new_privs environments, instead of
executing the target with non-elevated privileges).

Note that wrappers had to be copied (not symlinked) into /run/wrappers
due to the SUID/capability bits, and they couldn't be hard/softlinks of
each other due to those bits potentially differing. Thus, this change
doesn't increase the amount of memory used by /run/wrappers.
2023-08-16 11:33:22 +02:00
Aaron Andersen
9d56365451 security/pam: add umask option to configure pam_mkhomedir 2023-08-10 20:35:08 -04:00
Ryan Lahfa
ec409e6f79
Merge pull request #231673 from symphorien/suid_wrappers_userns 2023-08-10 11:52:59 +02:00
Guillaume Girol
0e4b8a05b2 nixos/wrappers: allow setuid and setgid wrappers to run in user namespaces
In user namespaces where an unprivileged user is mapped as root and root
is unmapped, setuid bits have no effect. However setuid root
executables like mount are still usable *in the namespace* as the user
already has the required privileges. This commit detects the situation
where the wrapper gained no privileges that the parent process did not
already have and in this case does less sanity checking. In short there
is no need to be picky since the parent already can execute the foo.real
executable themselves.

Details:
man 7 user_namespaces:
   Set-user-ID and set-group-ID programs
       When a process inside a user namespace executes a set-user-ID
       (set-group-ID) program, the process's effective user (group) ID
       inside the namespace is changed to whatever value is mapped for
       the user (group) ID of the file.  However, if either the user or
       the group ID of the file has no mapping inside the namespace, the
       set-user-ID (set-group-ID) bit is silently ignored: the new
       program is executed, but the process's effective user (group) ID
       is left unchanged.  (This mirrors the semantics of executing a
       set-user-ID or set-group-ID program that resides on a filesystem
       that was mounted with the MS_NOSUID flag, as described in
       mount(2).)

The effect of the setuid bit is that the real user id is preserved and
the effective and set user ids are changed to the owner of the wrapper.
We detect that no privilege was gained by checking that euid == suid
== ruid. In this case we stop checking that euid == owner of the
wrapper file.

As a reminder here are the values of euid, ruid, suid, stat.st_uid and
stat.st_mode & S_ISUID in various cases when running a setuid 42 executable as user 1000:

Normal case:
ruid=1000 euid=42 suid=42
setuid=2048, st_uid=42

nosuid mount:
ruid=1000 euid=1000 suid=1000
setuid=2048, st_uid=42

inside unshare -rm:
ruid=0 euid=0 suid=0
setuid=2048, st_uid=65534

inside unshare -rm, on a suid mount:
ruid=0 euid=0 suid=0
setuid=2048, st_uid=65534
2023-08-09 12:00:00 +00:00
Lin Jian
74fadae942
treewide: stop using types.string
It is an error[1] now.

[1]: https://github.com/NixOS/nixpkgs/pull/247848
2023-08-08 21:31:21 +08:00
ajs124
bf4d2e6c1e
Merge pull request #242538 from tnias/fix/apparmor
apparmor: add some policies and improve abstractions and utils
2023-08-04 13:05:52 +02:00
Philipp Bartsch
0f474b4c6c nixos/apparmor: support custom i18n glibc locales
The i18n nixos module creates a customized glibcLocales package.
Use the system specific glibcLocale instead of the vanilla one.
2023-07-12 21:38:31 +02:00
Philipp Bartsch
ad7ffe3a7c nixos/apparmor: fix syntax in abstractions/bash 2023-07-09 22:25:30 +02:00
Philipp Bartsch
9145e6df84 nixos/apparmor: add missing abstraction/nss-systemd
The abstraction/nameservice profile from apparmor-profiles package
includes abstractions/nss-systemd. Without "reexporting" it,
the include fails and we get some errors.
2023-07-09 22:21:44 +02:00
Jacob Moody
5f97e78c64 pam_dp9ik: init at 1.5 2023-07-09 14:12:21 -05:00
Philipp Bartsch
0eabede44b nixos/apparmor: make abstractions/ssl_certs more go friendly
By default golang's crypto/x509 implementation wants to read
/etc/pki/tls/certs/ when loading system certificates.

This patch adds the path to reduce audit log noise.

Relevant code:
- https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_unix.go#L32-L82
- https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_linux.go#L17-L22
2023-07-08 00:53:27 +02:00
Michael Hoang
98d970bc37 nixos/qemu-vm: use CA certificates from host 2023-07-06 21:32:08 +10:00
Felix Buehler
933a41a73f treewide: use optional instead of 'then []' 2023-06-25 09:11:40 -03:00
Max
34a4165674 nixos/pam: support Kanidm 2023-06-11 17:17:42 +02:00
Jenny
0adbf8feb4
nixos/pam_mount: fix mounts without options (#234026)
This commit adds a comma in front of the given options, which makes the
mounts still succeed even if no options are given.

Fixes #233946
2023-05-25 22:45:59 +02:00
Jenny
7abd408b7f
nixos/pam_mount: fix cryptmount options (#232873)
There was a bug in the pam_mount module that crypt mount options were
not passed to the mount.crypt command. This is now fixed and
additionally, a cryptMountOptions NixOS option is added to define mount
options that should apply to all crypt mounts.

Fixes #230920
2023-05-20 17:40:36 +02:00
Robert Hensing
25f227fc67
Merge pull request #231316 from hercules-ci/nixos-system.checks
NixOS: add `system.checks`
2023-05-15 23:16:29 +02:00
Nick Cao
1de301aef3
Merge pull request #231954 from mac-chaffee/acme-ipv6
nixos/security/acme: Fix listenHTTP bug with IPv6 addresses
2023-05-15 07:30:57 -06:00
Raito Bezarius
3f446bfbd3 nixos/pam: fix ZFS support assertion
It was always complaining even if you didn't enable PAM ZFS.
2023-05-15 12:06:04 +02:00
Nicola Squartini
87cbaf7ce3 nixos/pam: assert ZFS support for PAM module 2023-05-15 09:22:42 +02:00
Nicola Squartini
5466f76755 nixos/pam: improve documentation of ZFS module 2023-05-15 09:22:39 +02:00
Nicola Squartini
09f4bf7f16 nixos/pam: enable unlocking ZFS home dataset 2023-05-15 09:20:40 +02:00
Mac Chaffee
33b15fdce0
security/acme: Fix listenHTTP bug with IPv6 addresses 2023-05-14 20:27:52 -04:00
Robert Hensing
2e2f0d28ea nixos: Use checks instead of extraDependencies
... as appropriate.

This drops a few unnecessary store paths from the system closure.
2023-05-11 21:18:38 +02:00
Ryan Lahfa
fe7b996d66
Merge pull request #230857 from s1341/bugfix_pam_sssd
nixos/pam: Allow password changing via sssd
2023-05-10 16:56:47 +02:00
fetsorn
5e77899001 nixos/tpm2: fix typo
"acess" -> "access"
2023-05-09 18:02:17 +04:00
fetsorn
ac5f6d9100 nixos/apparmor: fix typo
"usualy" -> "usually"
2023-05-09 18:02:17 +04:00
s1341
e2d538fead pam: remove unused try_first_pass 2023-05-09 13:45:15 +03:00
s1341
765ae4d581 nixos/pam: allow changing password using sssd 2023-05-09 13:43:06 +03:00
Nick Cao
3e3d82f42c
Merge pull request #227232 from datafoo/nixos-acme-fix-options-type
nixos/acme: fix options type
2023-04-24 10:01:04 +08:00
Artturi
b83db86a9e
Merge pull request #222080 from Stunkymonkey/nixos-optionalString 2023-04-20 16:07:30 +03:00
datafoo
2890af5e4b nixos/acme: fix options type
null is a possible default so the type must reflect that.
2023-04-20 11:52:57 +02:00
Felix Buehler
327b0cff7a treewide: use more lib.optionalString 2023-04-07 13:38:33 +02:00
Benjamin Staffin
ff296a777e
Merge pull request #207115 from s1341/init_freeipa
freeipa: init at 4.10.1
2023-03-30 13:15:18 -04:00
github-actions[bot]
d761f69867
Merge master into staging-next 2023-03-17 17:57:00 +00:00
Savyasachee Jha
4177ddcfd6 doas: refactor config generation
According to Ted Unangst, since doas evaluates rules in a last
matched manner, it is prudent to have the "permit root to do everything
without a password at the end of the file.

Source: https://flak.tedunangst.com/post/doas-mastery
2023-03-17 09:05:08 -07:00
github-actions[bot]
455127ad5e
Merge master into staging-next 2023-03-16 18:01:20 +00:00
s1341
6d299334b0 nixos/freeipa: init 2023-03-16 08:40:13 +02:00
Martin Weinelt
4472cf44eb
treewide: Make yescrypt the default algorithm for pam_unix.so
This ensures `passwd` will default to yescrypt for newly generated
passwords.
2023-03-13 07:54:27 +01:00
Felix Buehler
d10e69c86b treewide: deprecate isNull
https://nixos.org/manual/nix/stable/language/builtins.html#builtins-isNull
2023-03-06 22:40:04 +01:00
Winter
ee6517a915 Revert "nixos/polkit: guard static gid for polkituser behind state version"
This reverts commit 2265160fc0 and
e56db577a1.

Ideally, we shouldn't cause friction for users that bump `stateVersion`,
and I'd consider having to switch and/or manually hardcode a UID/GID
to supress the warning friction. I think it'd be more beneficial to, in
this rare case of an ID being missed, just let it be until more
discussion happens surrounding this overall issue.

See https://github.com/NixOS/nixpkgs/pull/217785 for more context.
2023-02-25 22:32:16 -05:00
Nick Cao
2265160fc0
nixos/polkit: guard static gid for polkituser behind state version 2023-02-23 17:07:49 +08:00
1sixth
e56db577a1
nixos/polkit: set static gid for polkituser
polkituser needs a group since https://github.com/NixOS/nixpkgs/pull/130522.
2023-02-22 08:46:55 +08:00
pennae
bf4c0c1900 nixos/*: remove trailing period in mkEnableOptions
those are added by mkEnableOption, and .. is replaced to … by markdown
processing.
2023-02-08 15:23:34 +01:00
pennae
0a6e6cf7e6 nixos/manual: render module chapters with nixos-render-docs
this converts meta.doc into an md pointer, not an xml pointer. since we
no longer need xml for manual chapters we can also remove support for
manual chapters from md-to-db.sh

since pandoc converts smart quotes to docbook quote elements and our
nixos-render-docs does not we lose this distinction in the rendered
output. that's probably not that bad, our stylesheet didn't make use of
this anyway (and pre-23.05 versions of the chapters didn't use quote
elements either).

also updates the nixpkgs manual to clarify that option docs support all
extensions (although it doesn't support headings at all, so heading
anchors don't work by extension).
2023-01-27 20:07:34 +01:00
Nick Cao
831ce5cb71
Merge pull request #211830 from sorpaas/patch-11
nixos/systemd-confinement: remove unused rootName
2023-01-22 16:25:44 +08:00
Naïm Favier
363158603a nixos: fix backticks in Markdown descriptions 2023-01-21 18:08:38 +01:00
Wei Tang
ec8d74d58a
nixos/systemd-confinement: remove unused rootName 2023-01-20 22:39:16 +01:00
github-actions[bot]
49722fd14a
Merge master into staging-next 2023-01-13 18:01:34 +00:00
pennae
53fc887582 nixos/manual: move "edit the MD file" comments to generated XML 2023-01-10 12:34:37 +01:00
pennae
bf92eaebe4 nixos/manual: generate module chapters with md-to-db.sh 2023-01-10 10:32:00 +01:00
pennae
23ea73b416 nixos/manual: enable smart quotes for all MD chapters 2023-01-10 10:31:59 +01:00
pennae
53935b445f nixos/acme: convert manual chapter to MD 2023-01-10 10:31:54 +01:00
pennae
6930425922 nixos/manual: normalize <literal><link> -> <link><literal>
MD can only do the latter, so change them all over now to keeps diffs reviewable.

this also includes <literal><xref> -> <xref> where options are referenced since
the reference will implicitly add an inner literal tag.
2023-01-10 10:31:52 +01:00
pennae
80a78f2e1e nixos/manual: remove links from program listings
markdown cannot represent those links. remove them all now instead of in
each chapter conversion to keep the diff for each chapter small and more
understandable.
2023-01-10 10:31:52 +01:00
Florian Klink
6b1a896570
Merge pull request #205121 from alaviss/homed
nixos: systemd-homed support
2022-12-23 13:09:17 +01:00
figsoda
6bb0dbf91f nixos: fix typos 2022-12-17 19:31:14 -05:00
Markus Napierkowski
192ae663cc nixos/pam: allow backing the motd with a file 2022-12-15 11:54:26 +01:00
Leorize
05420f34cf nixos: add systemd-homed support
As a start, it's not very configurable, but works pretty well.
2022-12-09 12:10:51 -06:00
Franz Pletz
69f8e94c46
Merge pull request #199587 from lorenz/fscrypt
nixos/pam: support fscrypt login protectors
2022-11-14 09:42:35 +01:00
Lorenz Brun
f046cc0923 nixos/pam: support fscrypt login protectors
fscrypt can automatically unlock directories with the user's login
password. To do this it ships a PAM module which reads the user's
password and loads the respective keys into the user's kernel keyring.

Significant inspiration was taken from the ecryptfs implementation.
2022-11-11 15:37:39 +01:00
Bobby Rong
03e68946a0
Merge pull request #186628 from ocfox/pam_faildelay
nixos/pam: add option failDelay
2022-11-07 19:54:57 +08:00
ocfox
ab0ae8f5e1
nixos/pam: add option failDelay
Co-authored-by: Bobby Rong <rjl931189261@126.com>
2022-11-07 19:16:35 +08:00
Naïm Favier
814628a45d
Merge pull request #174951 from dpausp/fix-pam-tty-audit 2022-11-01 23:50:58 +01:00
Yorick van Pelt
af4a43e36a
treewide: convert fake octal ints to strings
These were being cast to strings later and then reinterpreted as
octal.
2022-10-28 17:23:44 +02:00
Sandro
6c10d52d0d
Merge pull request #194036 from gloaming/polkit-debug-logs 2022-10-26 22:23:45 +02:00
Martin Weinelt
fcf2d05d81 nixos/acme: Relax syscall filter after go upgrade
With Go 1.19 calls to setrlimit are required for lego to run.

While we could allow setrlimit alone, I think it is not unreasonable to
allow @resources in general.

Closes: #197513
2022-10-25 07:22:27 +10:00
Tobias Stenzel
8111e4f113 nixos/pam: fix pam_tty_audit config
Escape the line breaks to render a valid config.
Module arguments have to be at the same line or line endings have to be
escaped with a backslash.
2022-10-22 23:20:09 +02:00
Azat Bahawi
e04579e7cd nixos/please: init module
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
2022-10-15 07:05:10 -07:00
Christian Kögler
aff16d8bc8
Merge pull request #190052 from JasonWoof/acme-example
nixos/doc: fix acme dns-01 example
2022-10-07 12:53:15 +02:00
Lucas Savva
49c0fd7d60 nixos/acme: Disable lego renew sleeping
Lego has a built-in mechanism for sleeping for a random amount
of time before renewing a certificate. In our environment this
is not only unnecessary (as our systemd timer takes care of it)
but also unwanted since it slows down the execution of the
systemd service encompassing it, thus also slowing down the
start up of any services its depending on.

Also added FixedRandomDelay to the timer for more predictability.
2022-10-06 10:30:24 -04:00
Lucas Savva
657ecbca0e nixos/acme: Make account creds check more robust
Fixes #190493

Check if an actual key file exists. This does not
completely cover the work accountHash does to ensure
that a new account is registered when account
related options are changed.
2022-10-06 10:30:24 -04:00
Lucas Savva
39796cad46 nixos/acme: Fix cert renewal with built in webserver
Fixes #191794

Lego threw a permission denied error binding to port 80.
AmbientCapabilities with CAP_NET_BIND_SERVICE was required.
Also added a test for this.
2022-10-06 10:30:24 -04:00
Craig Hall
a4995b6f0a nixos/polkit: Add debug option 2022-10-02 10:13:04 +01:00
Fabián Heredia Montiel
a233e59d19 nixos/pam: fix deprecated gnome3 reference 2022-09-25 00:39:27 -05:00
Jason Yundt
17352e8995 nixos/security/wrappers: clarify required format for capabilities
Before this change, the description for
security.wrappers.<name>.capabilities made it seem like you could just
string together the names of capabilities like this:

  capabilities = "CAP_SETUID,CAP_SETGID";

In reality, each item in the list must be a full-on capability clause:

  capabilities = "CAP_SETUID=ep,CAP_SETGID+i";
2022-09-11 16:36:58 +02:00
Jason Woofenden
7e5617aa7a nixos/doc: fix acme dns-01 example
Summary: fix errors with example code in the manual that shows how to set up DNS-01 verification via the acme protocol, e.g. for those who want to get wildcard certificates from Let's Encrypt.

Fix syntax error in nix arrays (there should not be commas.)

Fix permissions on /var/lib/secrets so it can be read by bind daemon. Without this fix bind won't start.

Add the missing feature: put the generated secret into certs.secret
2022-09-06 16:03:22 -04:00
pennae
722b99bc0e nixos/*: convert options with admonitions to MD
rendering changes only slightly, most changes are in spacing.
2022-08-31 16:36:16 +02:00
pennae
bd56368848 nixos/*: md-convert hidden plaintext options
most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.
2022-08-31 16:32:54 +02:00
pennae
9547123258 nixos/*: convert internal option descriptions to MD
we'll have to do it eventually, may as well be now.
2022-08-31 16:32:54 +02:00
pennae
ef176dcf7e nixos/*: automatically convert option descriptions
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running

    nix-doc-munge nixos/**/*.nix
    nix-doc-munge --import nixos/**/*.nix

the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
2022-08-31 16:32:53 +02:00
pennae
e4f876eb7e nixos/*: convert varlist-using options to MD
there are sufficiently few variable list around, and they are
sufficiently simple, that it doesn't seem helpful to add another
markdown extension for them. rendering differences are small, except in
the tor module: admonitions inside other blocks cannot be made to work
well with mistune (and likely most other markdown processors), so those
had to be shuffled a bit. we also lose paragraph breaks in the list
items due to how we have to render from markdown to docbook, but once we
remove docbook from the pipeline those paragraph breaks will be restored.
2022-08-31 16:32:53 +02:00
pennae
c915b915b5 nixos/*: md-convert options with unordered lists
mostly no rendering changes. some lists (like simplelist) don't have an
exact translation to markdown, so we use a comma-separated list of
literals instead.
2022-08-31 16:32:53 +02:00
Lassulus
f95d0b966e
Merge pull request #173495 from wucke13/pam-fix 2022-08-21 20:57:17 +02:00
pennae
6039648c50 nixos/*: automatically convert option docs 2022-08-19 22:40:58 +02:00
pennae
7e7d68a250 nixos/*: mark pre-existing markdown descriptions as mdDoc 2022-08-19 22:40:58 +02:00
pennae
b51f8036c2 nixos/*: use properly indented strings for option docs
using regular strings works well for docbook because docbook is not as
whitespace-sensitive as markdown. markdown would render all of these as
code blocks when given the chance.
2022-08-19 22:40:58 +02:00
pennae
e4ed177f82 nixos/* eliminate inner whitespace in tags that was missed earlier
nix-doc-munge won't match tags that contain newlines anywhere. most of
these have already been removed, but a few obviously made it through.
2022-08-19 22:40:58 +02:00
pennae
8f8e101527 nixos/*: normalize <package> to <literal>
this renders the same in the manpage and a little more clearly in the
html manual. in the manpage there continues to be no distinction from
regular text, the html manual gets code-type markup (which was probably
the intention for most of these uses anyway).
2022-08-19 22:40:58 +02:00
Christian Kögler
5d52f38905
Merge pull request #166942 from AleXoundOS/patch-1
NixOS manual: fix ACME certificates in Nginx configuration sample
2022-08-19 09:55:43 +02:00
Maximilian Bosch
9e8ea1b855
Merge pull request #183717 from NetaliDev/mysql-auth
nixos: add mysql/mariadb user authentication module
2022-08-16 20:30:16 +02:00
Robert Hensing
d00583540b
Merge pull request #184368 from DieracDelta/jr/wrappers-run-size-option
nixos/security: add size option to /run/wrappers
2022-08-14 19:13:17 +02:00
Justin Restivo
82640adbf0 nixos/security: add size option to /run/wrappers 2022-08-14 07:31:37 -07:00
pennae
087472b1e5 nixos/*: automatically convert option docs 2022-08-06 20:39:12 +02:00
Netali
1a35b5aacb
nixos/pam: move pam_unix to the end of the account chain 2022-08-06 19:43:28 +02:00
Netali
f23a1e6a54
nixos: add mysql/mariadb user authentication 2022-08-06 19:39:23 +02:00
pennae
423545fe48 nixos/*: normalize manpage references to single-line form
now nix-doc-munge will not introduce whitespace changes when it replaces
manpage references with the MD equivalent.

no change to the manpage, changes to the HTML manual are whitespace only.
2022-08-05 18:34:50 +02:00
pennae
61e93df189 nixos/*: automatically convert option docs to MD
once again using nix-doc-munge (69d080323a)
2022-08-03 22:46:41 +02:00
pennae
3aebb4a2be nixos/*: normalize link format
make (almost) all links appear on only a single line, with no
unnecessary whitespace, using double quotes for attributes. this lets us
automatically convert them to markdown easily.

the few remaining links are extremely long link in a gnome module, we'll
come back to those at a later date.
2022-08-03 21:57:46 +02:00
pennae
9c8531c8a5 nixos/*: replace <replaceable>s with «thing»
we can't embed syntactic annotations of this kind in markdown code
blocks without yet another extension. replaceable is rare enough to make
this not much worth it, so we'll go with «thing» instead. the module
system already uses this format for its placeholder names in attrsOf
paths.
2022-08-03 21:08:58 +02:00
pennae
16102dce2f nixos/*: replace <code> in option docs with <literal>
markdown can't represent the difference without another extension and
both the html manual and the manpage render them the same, so keeping the
distinction is not very useful on its own. with the distinction removed
we can automatically convert many options that use <code> tags to markdown.

the manpage remains unchanged, html manual does not render
differently (but class names on code tags do change from "code" to "literal").
2022-08-03 21:03:23 +02:00
pennae
6b13dd0e9e
Merge pull request #183491 from pennae/automatic-md-conversions
treewide: automatically md-convert option descriptions
2022-08-02 02:15:30 +02:00
Dan Callaghan
43aab2f50b
nixos/pam: add an option to control Kerberos PAM modules
Instead of enabling the PAM modules based on config.krb5.enable,
introduce a new option to control the PAM modules specifically.

Users may want to turn on config.krb5.enable, to get a working Kerberos
client config with tools like kinit, while letting pam_sss or something
else handle Kerberos password lookups.
2022-08-01 21:28:05 +10:00
pennae
2e751c0772 treewide: automatically md-convert option descriptions
the conversion procedure is simple:

 - find all things that look like options, ie calls to either `mkOption`
   or `lib.mkOption` that take an attrset. remember the attrset as the
   option
 - for all options, find a `description` attribute who's value is not a
   call to `mdDoc` or `lib.mdDoc`
 - textually convert the entire value of the attribute to MD with a few
   simple regexes (the set from mdize-module.sh)
 - if the change produced a change in the manual output, discard
 - if the change kept the manual unchanged, add some text to the
   description to make sure we've actually found an option. if the
   manual changes this time, keep the converted description

this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
2022-07-30 15:16:34 +02:00
pennae
a16b25432e
Merge pull request #182685 from pennae/invariant-option-conversions
treewide: invariant option conversions to MD
2022-07-27 15:39:47 +02:00
Stig
550aaf8c96
Merge pull request #182379 from stigtsp/fix/pam-u2f-cue
nixos/security/pam: fix u2f options leakage
2022-07-26 03:19:01 +02:00
pennae
cbc44d68a7 nixos/security: invariant option docs MD conversions 2022-07-24 13:01:18 +02:00
Netali
93132dc09c
nixos/pam: refactor pam_mount unmounting fix 2022-07-22 04:17:14 +02:00
Stig Palmquist
d07f3037e2
nixos/security/pam: fix u2f options leakage
Fix bug where pam_u2f options would be partially included in other pam.d
files if the module was enable for specific services, resulting in
broken configuration.
2022-07-21 23:14:09 +02:00
Arian van Putten
55bd770662
Merge pull request #167514 from shimunn/pam_u2f_module
nixos/security/pam: added `origin` option to pamu2f
2022-07-16 10:56:26 +02:00
shimun
327d99c0ca
nixos/security/pam: added origin option to pamu2f 2022-07-15 20:38:24 +02:00
pennae
320aa2a791 treewide: attempt at markdown option docs 2022-06-12 12:44:38 +02:00
Wanja Zaeske
305b633423 nixos/modules/security/pam: fix #95798 & #128116
Previously, `pam_unix.so` was `required` to set PAM_AUTHTOK so that
dependent pam modules (such as gnome keyering) could use the password
(for example to unlock a keyring) upon login of the user. This however
broke any additional auth providers (such as AD or LDAP): for any
non-local user `pam_unix.so` will not yield success, thus eventually the
auth would fail (even the following auth providers were actually
executed, they could not overrule the already failed auth).

This change replaces `required` by `optional`. Therefore, the
`pam_unix.so` is executed and can set the PAM_AUTHTOK for the following
optional modules, _even_ if the user is not a local user. Therefore, the
gnome keyring for example is unlocked both for local and additional
users upon login, and login is working for non-local users via
LDAP/AD.
2022-05-18 15:22:46 +02:00
Linus Heckemann
7c035dbb75
Merge pull request #156822 from xfix/wrapper-assert-argc-at-least-one
nixos/wrappers: require argc to be at least one
2022-05-16 18:52:51 +02:00
Janne Heß
e6fb1e63d1
Merge pull request #171650 from helsinki-systems/feat/config-systemd-package
treewide: pkgs.systemd -> config.systemd.package
2022-05-09 10:23:04 +02:00
Ivan Kozik
f18cc2cf02 nixos/security/wrappers: chown user:group instead of user.group to fix warnings from coreutils 9.1
activating the configuration...
setting up /etc...
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.messagebus’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
reloading user units for root...
2022-05-05 22:05:18 +00:00
Janne Heß
57cd07f3a9
treewide: pkgs.systemd -> config.systemd.package
This ensures there is only one systemd package when e.g. testing the
next systemd version.
2022-05-05 20:00:31 +02:00
Artturi
0b64a2d69a
Merge pull request #167108 from aaronjheng/oath-toolkit
oath-toolkit: Rename from oathToolkit to oath-toolkit
2022-05-05 03:58:39 +03:00
Luke Granger-Brown
1be4ba01ac
Merge pull request #164025 from lukegb/pam-ussh
pam-ussh: init at unstable-20210615
2022-04-11 01:25:45 +01:00
Jennifer Graul
3a8da578a7 nixos/pam_mount: add more config options 2022-04-09 15:33:13 +02:00
Jennifer Graul
b20a1c34c2 nixos/pam: fix pam_mount called multiple times
fixes automatic unmounting with pam_mount by preventing it to be called
multiple times at login
2022-04-09 15:33:13 +02:00
Aaron Jheng
f0c470f5eb
oath-toolkit: Rename from oathToolkit to oath-toolkit 2022-04-04 01:11:06 +00:00
Alexander T
e234e5e8f8
NixOS manual: fix ACME certificates in Nginx configuration example 2022-04-02 19:15:25 +03:00
Luke Granger-Brown
1853015550 nixos/pam: add support for pam-ussh
pam-ussh allows authorizing using an SSH certificate stored in your
SSH agent, in a similar manner to pam-ssh-agent-auth, but for
certificates rather than raw public keys.
2022-03-13 17:31:46 +00:00
piegames
cd7e516b26
Merge pull request #156858: nixos/polkit: don't enable by default 2022-03-05 14:48:35 +01:00
Pascal Bach
b5fa1aa46f
Merge pull request #162496 from Baughn/master
pam: Fix google-authenticator reference
2022-03-04 17:18:17 +01:00
aszlig
7286be7e81 nixos/systemd-confinement: Allow shipped unit file
In issue #157787 @martined wrote:

  Trying to use confinement on packages providing their systemd units
  with systemd.packages, for example mpd, fails with the following
  error:

  system-units> ln: failed to create symbolic link
  '/nix/store/...-system-units/mpd.service': File exists

  This is because systemd-confinement and mpd both provide a mpd.service
  file through systemd.packages. (mpd got updated that way recently to
  use upstream's service file)

To address this, we now place the unit file containing the bind-mounted
paths of the Nix closure into a drop-in directory instead of using the
name of a unit file directly.

This does come with the implication that the options set in the drop-in
directory won't apply if the main unit file is missing. In practice
however this should not happen for two reasons:

  * The systemd-confinement module already sets additional options via
    systemd.services and thus we should get a main unit file
  * In the unlikely event that we don't get a main unit file regardless
    of the previous point, the unit would be a no-op even if the options
    of the drop-in directory would apply

Another thing to consider is the order in which those options are
merged, since systemd loads the files from the drop-in directory in
alphabetical order. So given that we have confinement.conf and
overrides.conf, the confinement options are loaded before the NixOS
overrides.

Since we're only setting the BindReadOnlyPaths option, the order isn't
that important since all those paths are merged anyway and we still
don't lose the ability to reset the option since overrides.conf comes
afterwards.

Fixes: https://github.com/NixOS/nixpkgs/issues/157787
Signed-off-by: aszlig <aszlig@nix.build>
2022-03-02 11:42:44 -08:00
Svein Ove Aas
cf0f406ed6 pam: Fix google-authenticator reference 2022-03-02 15:18:58 +00:00
Alyssa Ross
1176525f87 treewide: remove obsolete kernel version checks
We don't support Linux kernels older than 4.4 in Nixpkgs.
2022-02-19 21:09:19 +00:00
Nikolay Amiantov
524aecf61e google-compute-config: update config 2022-02-05 23:33:10 +03:00
Konrad Borowski
2a6a3d2c47 nixos/wrappers: require argc to be at least one
setuid applications were exploited in the past with an empty
argv, such as pkexec using CVE-2021-4034.
2022-01-28 12:26:20 +01:00
Konrad Borowski
1009d6e79e nixos/wrappers: create a new assert macro that always asserts
C's assert macro only works when NDEBUG is undefined. Previously
NDEBUG was undefined incorrectly which meant that the assert
macros in wrapper.c did not work.
2022-01-28 12:26:19 +01:00
polykernel
4a9d9928dc nixos/nix-daemon: use structural settings
The `nix.*` options, apart from options for setting up the
daemon itself, currently provide a lot of setting mappings
for the Nix daemon configuration. The scope of the mapping yields
convience, but the line where an option is considered essential
is blurry. For instance, the `extra-sandbox-paths` mapping is
provided without its primary consumer, and the corresponding
`sandbox-paths` option is also not mapped.

The current system increases the maintenance burden as maintainers have to
closely follow upstream changes. In this case, there are two state versions
of Nix which have to be maintained collectively, with different options
avaliable.

This commit aims to following the standard outlined in RFC 42[1] to
implement a structural setting pattern. The Nix configuration is encoded
at its core as key-value pairs which maps nicely to attribute sets, making
it feasible to express in the Nix language itself. Some existing options are
kept such as `buildMachines` and `registry` which present a simplified interface
to managing the respective settings. The interface is exposed as `nix.settings`.

Legacy configurations are mapped to their corresponding options under `nix.settings`
for backwards compatibility.

Various options settings in other nixos modules and relevant tests have been
updated to use structural setting for consistency.

The generation and validation of the configration file has been modified to
use `writeTextFile` instead of `runCommand` for clarity. Note that validation
is now mandatory as strict checking of options has been pushed down to the
derivation level due to freeformType consuming unmatched options. Furthermore,
validation can not occur when cross-compiling due to current limitations.

A new option `publicHostKey` was added to the `buildMachines`
submodule corresponding to the base64 encoded public host key settings
exposed in the builder syntax. The build machine generation was subsequently
rewritten to use `concatStringsSep` for better performance by grouping
concatenations.

[1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
2022-01-26 21:04:50 -05:00
Martin Weinelt
a813be071c
nixos/polkit: don't enable by default
SUID wrappers really shouldn't be enabled by default, unless a consumer
relies on them. So in my opinion this falls upon the desktop
environments if needed or a user to explicltly enable this if wanted.

Most desktop environments and services like CUPS already enable polkit
by default, that should really be sufficient.
2022-01-27 01:45:44 +01:00
github-actions[bot]
9b5359861c
Merge master into staging-next 2022-01-12 12:01:06 +00:00
pennae
b458e5133f
Merge pull request #146937 from amarshall/pam-apparmor-fix
nixos/pam: Fix apparmor syntax error
2022-01-12 06:31:35 +00:00
github-actions[bot]
e8dc263ca3
Merge staging-next into staging 2022-01-11 18:01:57 +00:00
Vladimír Čunát
c3805ba16c
Merge #153104: linux-pam: don't create dangling symlink during build
... into staging
2022-01-09 10:26:43 +01:00
Winter
b52607f43b nixos/acme: ensure web servers using certs can access them 2022-01-08 15:05:34 -05:00
Andrew Marshall
f62c11fcc3 nixos/pam: Fix apparmor syntax error
When running e.g. `aa-genprof` get error:

> ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/abstractions/pam line 26:
>     r /nix/store/XXXXX.pam,mr /nix/store/XXXXX-linux-pam-1.5.1/lib/security/pam_filter/*,

So add an explicit newline as concatMapStringsSep only adds them
between.
2022-01-02 22:51:26 -05:00
Winter
0715ef5968 linux-pam: don't create dangling symlink during build 2022-01-01 15:39:55 -05:00
Michele Guerini Rocco
59bfda7248
Merge pull request #152594 from ju1m/apparmor
security/wrappers: remove C compiler from the nixos/security.wrappers…
2021-12-31 15:09:52 +01:00
Julien Moutinho
0e5611e0be security/wrappers: remove C compiler from the nixos/security.wrappers AppArmor profile 2021-12-29 16:26:57 +01:00
Lucas Savva
65f1b8c6ae
nixos/acme: Add test for lego's built-in web server
In the process I also found that the CapabilityBoundingSet
was restricting the service from listening on port 80, and
the AmbientCapabilities was ineffective. Fixed appropriately.
2021-12-26 16:49:59 +00:00
Silvan Mosberger
2dcc3daadf
nixos/acme: Clean up default handling 2021-12-26 16:49:58 +00:00
Lucas Savva
41fb8d71ab
nixos/acme: Add useRoot option 2021-12-26 16:49:57 +00:00
Lucas Savva
8d01b0862d
nixos/acme: Update documentation
- Added defaultText for all inheritable options.
- Add docs on using new defaults option to configure
  DNS validation for all domains.
- Update DNS docs to show using a service to configure
  rfc2136 instead of manual steps.
2021-12-26 16:49:55 +00:00
Lucas Savva
377c6bcefc
nixos/acme: Add defaults and inheritDefaults option
Allows configuring many default settings for certificates,
all of which can still be overridden on a per-cert basis.
Some options have been moved into .defaults from security.acme,
namely email, server, validMinDays and renewInterval. These
changes will not break existing configurations thanks to
mkChangedOptionModule.

With this, it is also now possible to configure DNS-01 with
web servers whose virtualHosts utilise enableACME. The only
requirement is you set `acmeRoot = null` for each vhost.

The test suite has been revamped to cover these additions
and also to generally make it easier to maintain. Test config
for apache and nginx has been fully standardised, and it
is now much easier to add a new web server if it follows
the same configuration patterns as those two. I have also
optimised the use of switch-to-configuration which should
speed up testing.
2021-12-26 16:44:10 +00:00
Lucas Savva
a7f0001328
nixos/acme: Check for revoked certificates
Closes #129838

It is possible for the CA to revoke a cert that has not yet
expired. We must run lego to validate this before expiration,
but we must still ignore failures on unexpired certs to retain
compatibility with #85794

Also changed domainHash logic such that a renewal will only
be attempted at all if domains are unchanged, and do a full
run otherwises. Resolves #147540 but will be partially
reverted when go-acme/lego#1532 is resolved + available.
2021-12-26 16:44:09 +00:00
Lucas Savva
87403a0b07
nixos/acme: Add a human readable error on run failure
Closes NixOS/nixpkgs#108237

When a user first adds an ACME cert to their configuration,
it's likely to fail to renew due to DNS misconfig. This is
non-fatal for other services since selfsigned certs are
(usually) put in place to let dependant services start.
Tell the user about this in the logs, and exit 2 for
differentiation purposes.
2021-12-26 16:44:08 +00:00
Lucas Savva
a88d846b91
nixos/acme: Remove selfsignedDeps from finished targets
selfsignedDeps is already appended to the after and wants
of a cert's renewal service, making these redundant.

You can see this if you run the following command:
systemctl list-dependencies --all --reverse acme-selfsigned-mydomain.com.service
2021-12-26 16:44:07 +00:00
Graham Christensen
06edb74413
Merge pull request #148785 from pennae/more-option-doc-staticizing
treewide: more defaultText for options
2021-12-17 11:14:08 -05:00
Martin Weinelt
e675946ecd
Merge pull request #125256 from deviant/acme-standalone 2021-12-11 22:06:48 +01:00
Janne Heß
7b5fb05a0d
nixos/pam: Type all limit options 2021-12-09 12:48:02 +01:00
pennae
e24a8775a8 treewide: set defaultText for options using simple path defaults
adds defaultText for all options that set their default to a path expression
using the ubiquitous `cfg` shortcut bindings.
2021-12-09 01:12:13 +01:00
ajs124
eee45bb295
Merge pull request #146815 from ElvishJerricco/systemd-utils-expressions
Move systemd-lib.nix and systemd-unit-options.nix into utils
2021-12-08 15:07:28 +00:00
Janne Heß
e37aab2130
nixos/acme: Allow disabling bash tracing
This is horrible if you want to debug failures that happened during
system switches but your 30-ish acme clients spam the log with the same
messages over and over again.
2021-12-07 14:17:56 +01:00
pennae
2512455639 nixos/*: add trivial defaultText for options with simple defaults 2021-12-02 22:35:04 +01:00
Roman Frołow
de6181dc51
nixos/acme: fix typo in docs 2021-11-30 21:31:50 +08:00
Lucas Savva
be952aba1c nixos/acme: Fix rate limiting of selfsigned services
Closes NixOS/nixpkgs#147348

I was able to reproduce this intermittently in the
test suite during the tests for HTTPd. Adding
StartLimitIntervalSec=0 to disable rate limiting
for these services works fine. I added it anywhere
there was a ConditionPathExists.
2021-11-29 11:15:31 +01:00
Victor Engmark
dcb941f3ed security/pam: Document test location 2021-11-27 20:36:50 +02:00
Poscat
942f57e79b nixos/acme: add an option for reloading systemd services after renewal 2021-11-24 13:50:20 -08:00
Will Fancher
851495a752 Move systemd-lib.nix and systemd-unit-options.nix into utils 2021-11-20 17:52:29 -05:00
Victor Engmark
ef58bbf9b7 nixos/pam: avoid extra lines in pam files 2021-11-16 19:26:43 +13:00
github-actions[bot]
707b006bf7
Merge master into staging-next 2021-11-09 00:01:30 +00:00
sternenseemann
d14ae62671 nixos/terminfo: inherit TERMINFO* env vars also for doas
This should mirror the behavior we implement for sudo: The TERMINFO and
TERMINFO_DIRS variables are inherited from the normal user's
environment, so terminfo files installed in the user's profile can be
found by ncurses applications running as root.
2021-11-08 14:05:24 -08:00
github-actions[bot]
eeb7e66e97
Merge master into staging-next 2021-11-06 18:01:01 +00:00
Nico Berlee
90bac670c0 nixos/pam: pam_mkhomedir umask to 0077
pam_mkhomedir should create homedirs with the same umask as the rest
of the system. Currently it creates homedirs with go+rx which makes
it readable for other non-privileged users.
2021-11-06 17:45:00 +02:00
github-actions[bot]
9e0658fa12
Merge staging-next into staging 2021-10-27 06:01:57 +00:00
github-actions[bot]
160c71e060
Merge master into staging-next 2021-10-27 06:01:21 +00:00
Peter Hoeg
22a500a3f8 pam_mount: do not re-prompt for password
nixos-rebuild test causes pam_mount to prompt for a password when running with
an encrypted home:

building '/nix/store/p6bflh7n5zy2dql8l45mix9qnzq65hbk-nixos-system-mildred-18.09.git.98592c5da79M.drv'...
activating the configuration...
setting up /etc...
reenter password for pam_mount:
(mount.c:68): Messages from underlying mount program:
(mount.c:72): crypt_activate_by_passphrase: File exists
(pam_mount.c:522): mount of /dev/mapper/vg0-lv_home_peter failed
kbuildsycoca5 running...

This change makes pam_mount not prompt. It still tries to remount (and fails in
the process) but that message can be ignored.

Fixes: #44586
2021-10-27 08:53:15 +08:00
github-actions[bot]
47ad670e14
Merge staging-next into staging 2021-10-26 00:02:18 +00:00
Martin Weinelt
a47e0a6554 Merge remote-tracking branch 'origin/master' into staging-next 2021-10-25 21:03:48 +02:00
Martin Weinelt
1c20719373
Merge pull request #139311 from NinjaTrappeur/nin-acme-fix-webroot 2021-10-25 20:27:29 +02:00
Maciej Krüger
b33ac6e5c0
Merge pull request #137646 from mkg20001/pam-audit 2021-10-19 15:28:51 +02:00
Luke Granger-Brown
1b74469cd0 nixos/ca: use cacert package build for options and p11-kit output
The cacert package can now generate p11-kit-compatible output itself,
as well as generating the correct set of outputs for fully-joined
and unbundled "traditional" outputs (in standard PEM and
OpenSSL-compatible formats).
2021-10-08 01:21:57 +00:00
Naïm Favier
2ddc335e6f
nixos/doc: clean up defaults and examples 2021-10-04 12:47:20 +02:00
Félix Baylac-Jacqué
73846b372f
nixos/acme: add webroots to ReadWritePaths
Since 7a10478ea7, all /var except
/var/lib/acme gets mounted in a read-only fashion. This behavior
breaks the existing acme deployments having a webroot set outside of
/var/lib/acme.

Collecting the webroots and adding them to the paths read/write
mounted to the systemd service runtime tree.

Fixes #139310
2021-10-04 10:08:35 +02:00
Maciej Krüger
f3d00b3a94
nixos/pam: add pam_tty_audit option 2021-10-03 20:47:44 +02:00
Michele Guerini Rocco
2fcef20cb1
Merge pull request #138600 from austinbutler/tpm2-tss-group
nixos/tpm2: define group, fix after #133166
2021-09-20 18:34:39 +02:00
Austin Butler
8b6fa3c821 nixos/tpm2: define group, fix after NixOS#133166 2021-09-19 12:40:54 -07:00
rnhmjoj
1bd7260adb
nixos/lock-kernel-modules: reorder before/after
Moving the service before multi-user.target (so the `hardened` test
continue to work the way it did before) can result in locking the kernel
too early. It's better to lock it a bit later and changing the test to
wait specifically for the disable-kernel-module-loading.service.
2021-09-19 12:06:00 +02:00
Guillaume Girol
ceb2e6667b
Merge pull request #126289 from rnhmjoj/wrappers
nixos/security/wrappers: make well-typed
2021-09-18 15:28:49 +00:00
rnhmjoj
dc34788a25
nixos/lock-kernel-modules: use udevadm settle
Instead of relying on systemd-udev-settle, which is deprecated,
directly call `udevamd settle` to wait for hardware to settle.
2021-09-15 14:36:50 +02:00
rnhmjoj
65e83b0e23
nixos: fix nobody/nogroup in security.wrappers 2021-09-13 13:48:13 +02:00
rnhmjoj
fedd7cd690
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you
to think about what the wrapper ownership and permissions will be.
2021-09-13 13:48:13 +02:00
rnhmjoj
8f76a6eefc
nixos: add implict security.wrappers options
This is to keep the same permissions/setuid/setgid as before the change
in security.wrappers defaults.
2021-09-13 13:48:13 +02:00
rnhmjoj
27dcb04cde
nixos/security/wrappers: remove WRAPPER_PATH
This appears to be a leftover from 628e6a83.
2021-09-13 13:48:13 +02:00
rnhmjoj
936e8eaf41
nixos/security/wrappers: fix shell quoting 2021-09-13 13:48:12 +02:00
rnhmjoj
7d8b303e3f
nixos/security/wrappers: check that sources exist
Add a shell script that checks if the paths of all wrapped programs
actually exist to catch mistakes. This only checks for Nix store paths,
which are always expected to exist at build time.
2021-09-13 10:38:04 +02:00
rnhmjoj
22004f7e8f
nixos/security/wrappers: use fixed defaults
To keep backward compatibility and have a typing would require making
all options null by default, adding a defaultText containing the actual
value, write the default value logic based on `!= null` and replacing
the nulls laters. This pretty much defeats the point of having used
a submodule type.
2021-09-12 21:43:25 +02:00
rnhmjoj
904f68fb0f
nixos/security/wrappers: make well-typed
The security.wrappers option is morally a set of submodules but it's
actually (un)typed as a generic attribute set. This is bad for several
reasons:

1. Some of the "submodule" option are not document;
2. the default values are not documented and are chosen based on
   somewhat bizarre rules (issue #23217);
3. It's not possible to override an existing wrapper due to the
   dumb types.attrs.merge strategy;
4. It's easy to make mistakes that will go unnoticed, which is
   really bad given the sensitivity of this module (issue #47839).

This makes the option a proper set of submodule and add strict types and
descriptions to every sub-option. Considering it's not yet clear if the
way the default values are picked is intended, this reproduces the current
behavior, but it's now documented explicitly.
2021-09-12 21:43:03 +02:00
Guillaume Girol
bc3bca822a nixos: define the primary group of users where needed 2021-09-12 14:59:30 +02:00
Zhaofeng Li
59af7f0a2b apparmor: Fix cups-client typo 2021-08-23 00:50:15 -07:00
Jörg Thalheim
9b962429be
Merge pull request #133014 from Mic92/fix-pam
nixos: reduce pam files rebuilds on updates
2021-08-20 23:23:42 +01:00
Jörg Thalheim
1645acf1d3 nixos: reduce pam files rebuilds on updates
Before whenever environment variables changed, pam files had to be
rebuild.

This is expensive since each file needs its own sandbox set up.
2021-08-20 23:43:30 +02:00
Malte Tammena
891e537592 Fix security.pam.yubico.challengeResponsePath type
The config is optional and may be left `null`.
2021-08-17 16:55:50 +02:00
Guillaume Girol
f626a23cd3
Merge pull request #130522 from Mic92/polkit
nixos/polkit: put polkituser into polkituser group
2021-08-08 15:09:15 +00:00
Martin Weinelt
f49b03c40b
Merge pull request #123258 from mweinelt/acme-hardening 2021-08-08 15:50:24 +02:00
Jörg Thalheim
b5f5a5e341 nixos/polkit: put polkituser into polkitgroup 2021-07-18 08:58:30 +02:00
mlatus
43ca464e37 nixos/pam: allow users to set the path to store challenge and expected responsed used by yubico_pam 2021-07-17 15:05:31 +08:00
Martin Weinelt
7a10478ea7
nixos/acme: harden systemd units 2021-07-06 15:16:01 +02:00
Martin Weinelt
dc940ecdb3
Merge pull request #121750 from m1cr0man/master
nixos/acme: Ensure certs are always protected
2021-07-06 15:10:54 +02:00
Jörg Thalheim
e12188c0f2
nixos/systemd-confinment: use /var/empty as chroot mountpoint
bind mounting directories into the nix-store breaks nix commands.
In particular it introduces character devices that are not supported
by nix-store as valid files in the nix store. Use `/var/empty` instead
which is designated for these kind of use cases. We won't create any
files beause of the tmpfs mounted.
2021-07-01 08:01:18 +02:00
Jörg Thalheim
1e125a8002
Merge pull request #122674 from wakira/pam-order
nixos/pam: prioritize safer auth methods over fingerprints
2021-06-26 16:52:25 +02:00
Jenny
7bf7d9f8a7
nixos/pam_mount: add support for FUSE-filesystems (#126069) 2021-06-08 22:06:28 +02:00
Niklas Hambüchen
fdca90d07f
docs: acme: Fix typo 2021-06-06 14:27:13 +02:00
V
6fc18eb419 nixos/acme: Allow using lego's built-in web server
Currently, we hardcode the use of --http.webroot, even if no webroot is
configured. This has the effect of disabling the built-in server.

Co-authored-by: Chris Forno <jekor@jekor.com>
2021-06-05 06:00:45 +02:00
Sandro
44327ab7dc
Merge pull request #124991 from ju1m/apparmor 2021-06-01 15:26:30 +02:00
Vincent Bernat
632c8e1d54
nixos/acme: don't use --reuse-key
Reusing the same private/public key on renewal has two issues:

 - some providers don't accept to sign the same public key
   again (Buypass Go SSL)

 - keeping the same private key forever partly defeats the purpose of
   renewing the certificate often

Therefore, let's remove this option. People wanting to keep the same
key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the
previous behavior. Alternatively, we could put this as an option whose
default value is true.
2021-06-01 00:43:45 +02:00
Julien Moutinho
61654ca131 nixos/pam: use new plasma5Packages, fixes #124973 2021-05-30 21:44:25 +02:00
ajs124
e2cf342ba9 nixos/security/apparmor: utillinux -> util-linux 2021-05-17 17:14:08 +02:00
Keshav Kini
348858f297 nixos/security.pki: handle PEMs w/o a final newline
According to the ABNF grammar for PEM files described in [RFC
7468][1], an eol character (i.e. a newline) is not mandatory after the
posteb line (i.e. "-----END CERTIFICATE-----" in the case of
certificates).

This commit makes our CA certificate bundler expression account for
the possibility that files in config.security.pki.certificateFiles
might not have final newlines, by using `awk` instead of `cat` to
concatenate them. (`awk` prints a final newline from each input file
even if the file doesn't end with a newline.)

[1]: https://datatracker.ietf.org/doc/html/rfc7468#section-3
2021-05-16 17:23:11 -07:00
Lucas Savva
083aba4f83 nixos/acme: Ensure certs are always protected
As per #121293, I ensured the UMask is set correctly
and removed any unnecessary chmod/chown/chgrp commands.
The test suite already partially covered permissions
checking but I added an extra check for the selfsigned
cert permissions.
2021-05-15 12:41:33 +01:00
Sheng Wang
e0adda4113
nixos/pam: prioritize safer auth methods over fingerprints
Currently if fprintd is enabled, pam will ask for fingerprint
regardless of other configured authentication modules (e.g. yubikey).

This change make fingerprint the last resort of authentication before asking for password.
2021-05-12 13:25:08 +09:00
github-actions[bot]
bc1f4b790e
Merge master into staging-next 2021-05-09 12:23:16 +00:00
Michele Guerini Rocco
e5452226af
Merge pull request #121791 from dotlambda/sudo-execWheelOnly
nixos/sudo: add option execWheelOnly
2021-05-09 10:04:15 +02:00
Robert Schütz
5624aa9f81 nixos/sudo: add option execWheelOnly
By setting the executable's group to wheel and permissions to 4510, we
make sure that only members of the wheel group can execute sudo.
2021-05-08 23:48:00 +02:00
Martin Weinelt
9651084620 Merge remote-tracking branch 'origin/master' into staging-next 2021-05-08 14:43:43 +02:00
Jan Tojnar
468cb5980b gnome: rename from gnome3
Since GNOME version is now 40, it no longer makes sense to use the old attribute name.
2021-05-08 09:47:42 +02:00
Julien Moutinho
b42a0e205d nixos/apparmor: disable killUnconfinedConfinables by default 2021-04-23 07:20:20 +02:00
Julien Moutinho
45e5d726b2 nixos/apparmor: improve code readability 2021-04-23 07:20:19 +02:00
Julien Moutinho
8f9b29d168 apparmor: 2.13.5 -> 3.0.0 2021-04-23 07:17:56 +02:00
Julien Moutinho
27032f4dd6 nixos/apparmor: fix logprof.conf generation 2021-04-23 07:17:56 +02:00
Tony Olagbaiye
fca06b142a nixos/apparmor: remove an IFD
First because IFD (import-from-derivation) is not allowed on hydra.nixos.org,
and second because without https://github.com/NixOS/hydra/pull/825
hydra-eval-jobs crashes instead of skipping aggregated jobs which fail
(here because they required an IFD).
2021-04-23 07:17:55 +02:00
Julien Moutinho
05d334cfe2 Revert "Revert "apparmor: fix and improve the service""
This reverts commit 420f89ceb2.
2021-04-23 07:17:55 +02:00
Robert Hensing
e0e241c219
Merge pull request #116369 from m1cr0man/master
nixos/acme: Fix webroot issues
2021-03-23 21:31:42 +01:00
Lucas Savva
920a3f5a9d nixos/acme: Fix webroot issues
With the UMask set to 0023, the
mkdir -p command which creates the webroot
could end up unreadable if the web server
changes, as surfaced by the test suite in #114751
On top of this, the following commands
to chown the webroot + subdirectories was
mostly unnecessary. I stripped it back to
only fix the deepest part of the directory,
resolving #115976, and reintroduced a
human readable error message.
2021-03-15 01:41:40 +00:00
Robert Hensing
f0e20e0975 acme: Determine offline whether renewal is due 2021-03-01 23:41:52 +01:00
Florian Klink
f3af2df658
Merge pull request #111635 from xaverdh/hide-pid-broken
nixos/hidepid: remove module, it's broken
2021-02-23 00:20:29 +01:00
Dominik Xaver Hörl
893d911b55 nixos/hidepid: drop the module as the hidepid mount option is broken
This has been in an unusable state since the switch to cgroups-v2.
See https://github.com/NixOS/nixpkgs/issues/73800 for details.
2021-02-21 13:51:37 +01:00
nicoo
39383a8494 nixos/rngd: Remove module entirely, leave an explaination
Per @shlevy's request on #96092.
2021-02-21 01:32:50 +01:00
Sandro
fccda5aae6
Merge pull request #108819 from SuperSandro2000/nginx-module 2021-01-30 21:46:35 +01:00
Florian Klink
dfb2bc857b nixos/acme: fix docs 2021-01-29 18:56:28 +01:00
Florian Klink
82102fc37d
Merge pull request #100356 from m1cr0man/docsupdate
nixos/acme: Docs, explain how to set permissions
2021-01-29 17:16:06 +01:00
Florian Klink
1030745555
Merge pull request #106857 from m1cr0man/master
nixos/acme: Fixes for account creation and remove tmpfiles usage
2021-01-27 17:52:16 +01:00
Jörg Thalheim
0998756db2
Merge pull request #109342 from Mic92/wrappers 2021-01-27 14:32:38 +00:00
Jörg Thalheim
dbd05a5289
Update nixos/modules/security/wrappers/wrapper.nix
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
2021-01-14 09:00:34 +00:00
Jörg Thalheim
eadffd9154
nixos/wrappers: fix applying capabilities
With libcap 2.41 the output of cap_to_text changed, also the original
author of code hoped that this would never happen.
To counter this now the security-wrapper only relies on the syscall
ABI, which is more stable and robust than string parsing. If new
breakages occur this will be more obvious because version numbers will
be incremented.
Furthermore all errors no make execution explicitly fail instead of
hiding errors behind debug environment variables and the code style was
more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/)
2021-01-14 08:46:57 +01:00