2
0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-13 23:53:26 +00:00
Commit Graph

2286 Commits

Author SHA1 Message Date
Michele Guerini Rocco
d0cbcce8d4
Merge pull request from bjornfor/nixos-wpa-supplicant
nixos/wpa_supplicant: prefer 'install' over 'touch/chmod/mkdir/chgrp'
2021-05-10 08:16:39 +02:00
Robert Hensing
4433ba90aa
Merge pull request from rissson/nixos-unbound-fix-top-level-include
nixos/unbound: allow list of strings in top-level settings option type
2021-05-08 22:00:57 +02:00
Marc 'risson' Schmitt
0340cd2abe
nixos/unbound: allow list of strings in top-level settings option type
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2021-05-08 19:55:17 +02:00
Aaron Andersen
9254b82706
Merge pull request from j0hax/monero-options
nixos/monero: add dataDir option
2021-05-08 11:43:49 -04:00
Gemini Lasswell
28f51d7757 nixos/yggdrasil: set directory permissions before writing keys
Remove the opportunity for someone to read the keys in between when
they are written and when the chmod is done.  Addresses .
2021-05-08 09:49:19 +02:00
Johannes Arnold
c0853b6e2c nixos/monero: use isSystemUser = true 2021-05-08 02:13:25 +02:00
Maximilian Bosch
a50b9e6c23
Merge pull request from Ma27/wpa_multiple
wpa_supplicant: allow both imperative and declarative networks
2021-05-06 11:01:35 +02:00
Johannes Arnold
ff65166f44 nixos/monero: fix typo 2021-05-04 21:57:21 +00:00
Johannes Arnold
7cf3ffbddd nixos/monero: add dataDir option 2021-05-04 21:56:45 +00:00
Michele Guerini Rocco
93c5837be5
Merge pull request from rnhmjoj/searx
searx: set settings.yml permissions using umask
2021-05-04 11:43:12 +02:00
Andreas Rammhold
3ec6977d30
Merge pull request from rissson/nixos/unbound
nixos/unbound: add settings option, deprecate extraConfig
2021-05-03 21:49:24 +02:00
Marc 'risson' Schmitt
52f6733203
nixos/unbound: deprecate extraConfig in favor of settings
Follow RFC 42 by having a settings option that is
then converted into an unbound configuration file
instead of having an extraConfig option.

Existing options have been renamed or kept if
possible.

An enableRemoteAccess has been added. It sets remote-control setting to
true in unbound.conf which in turn enables the new wrapping of
unbound-control to access the server locally.  Also includes options
'remoteAccessInterfaces' and 'remoteAccessPort' for remote access.

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2021-05-03 21:27:15 +02:00
Silvan Mosberger
a221e6c330
Merge pull request from eyJhb/bind-list-to-attrs
nixos/bind: refactor zones from a list to attrset
2021-05-03 21:21:22 +02:00
eyjhb
757a455dde
nixos/bind: refactor zones from a list to attrset
This commit uses coercedTo to make zones a attrset instead of list.
Makes it easier to access/change zones in multiple places.
2021-05-03 20:04:42 +02:00
Silvan Mosberger
3e930b7e4a
Merge pull request from nh2/issue-121288-wireguard-fix-chmod-race
wireguard module: generatePrivateKeyFile: Fix chmod security race
2021-05-03 16:24:42 +02:00
Luke Granger-Brown
4b42da3d85
Merge pull request from mweinelt/babeld
babeld: 1.9.2 -> 1.10
2021-05-03 10:00:12 +01:00
rnhmjoj
9ea6c1979c
nixos/searx: set settings.yml permissions using umask
This should solve a leakage of secrets as suggested in 
2021-05-03 09:53:50 +02:00
Martin Weinelt
a2d1d16af8
nixos/mosquitto: Migrate away from bind_address/port config keys
Fixes these two deprecation warnings, by moving away from these options
towards a simple listener configuration.

> The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true.
> The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead.

Fixes: 
2021-05-01 19:46:48 +02:00
Martin Weinelt
33e867620e
nixos/mosquitto: harden systemd unit
It can still network, it can only access the ssl related files if ssl is
enabled.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                  0.1

→ Overall exposure level for mosquitto.service: 1.1 OK 🙂
2021-05-01 19:46:48 +02:00
Bjørn Forsman
5d47dc750f nixos/wpa_supplicant: prefer 'install' over 'touch/chmod/mkdir/chgrp'
Ref .
2021-05-01 15:34:04 +02:00
lunik1
248a57d61a
nixos/adguardhome: init () 2021-04-30 20:55:31 +02:00
Niklas Hambüchen
0dc08b4138 wireguard module: generatePrivateKeyFile: Fix chmod security race. Fixes
Until now, the `touch + chmod 600 + write` approach made it possible for
an unprivileged local user read the private key file, by opening
the file after the touch, before the read permissions are restricted.

This was only the case if `generatePrivateKeyFile = true` and the parent
directory of `privateKeyFile` already existed and was readable.

This commit fixes it by using `umask`, which ensures kernel-side that
the `touch` creates the file with the correct permissions atomically.

This commit also:

* Removes `mkdir --mode 0644 -p "${dirOf values.privateKeyFile}"`
  because setting permissions `drw-r--r--` ("nobody can enter that dir")
  is awkward. `drwx------` would perhaps make sense, like for `.ssh`.
  However, setting the permissions on the private key file is enough,
  and likely better, because `privateKeyFile` is about that file
  specifically and no docs suggest that there's something special
  about its parent dir.
* Removes the `chmod 0400 "${values.privateKeyFile}"`
  because there isn't really a point in removing write access from
  the owner of the private key.
2021-04-30 18:55:38 +02:00
Vladimír Čunát
5b0871bd97
Merge : nixos/kresd: allow package to be configured 2021-04-29 10:41:12 +02:00
Vladimír Čunát
a4749b11d4
nixos/kresd.package: improve the generated docs 2021-04-27 21:38:30 +02:00
Martin Weinelt
4e66e9aea5
nixos/babeld: start maintaining the module 2021-04-27 14:12:07 +02:00
github-actions[bot]
a956f62ea4
Merge master into staging-next 2021-04-25 06:05:34 +00:00
Martin Weinelt
e8988f7a30 nixos/babeld: run as DynamicUser
The last bits to prevent babeld from running unprivileged was its
kernel_setup_interface routine, that wants to set per interface
rp_filter. This behaviour has been disabled in a patch that has been
submitted upstream at https://github.com/jech/babeld/pull/68 and reuses
the skip-kernel-setup config option.

→ Overall exposure level for babeld.service: 1.7 OK 🙂
2021-04-25 00:54:52 +02:00
Sandro Jäckel
8ee00e6ca2
nixos/kresd: allow package to be configured 2021-04-24 09:18:45 +02:00
github-actions[bot]
b95da5efb6
Merge master into staging-next 2021-04-22 18:14:27 +00:00
github-actions[bot]
120744d620
Merge master into staging-next 2021-04-22 12:06:24 +00:00
Jörg Thalheim
40945d399d
quagga: remove
Upstream repositories do no longer exists. There has been no release in
a while. - Not a good combination for a network daemon running as root
in C that parses network packets...
2021-04-22 12:48:48 +02:00
Michael Weiss
3e01d42024
maintainers: remove tavyc
Their last commit was dcc84d8 from 2017.
Thank you for your contributions.
2021-04-22 11:34:25 +02:00
github-actions[bot]
9b3e698b14
Merge master into staging-next 2021-04-21 12:06:23 +00:00
Oleksii Filonenko
c2900f685f
Merge pull request from Jaculabilis/nebula
nixos/nebula: add basic module
2021-04-21 11:17:30 +03:00
github-actions[bot]
6ef7c23763
Merge master into staging-next 2021-04-19 18:11:51 +00:00
Lorenz Leutgeb
0b0cd3f6aa
mxisd: remove ()
* mxisd: remove

See EOL notice at https://github.com/kamax-matrix/mxisd/blob/master/EOL.md#end-of-life-notice

* mxisd: Add throwing EOL notice
2021-04-19 11:26:08 -04:00
github-actions[bot]
b57b2b362c
Merge master into staging-next 2021-04-18 18:10:37 +00:00
Johannes Schleifenbaum
dc282fc3f3
nixos/dnsdist: dndist.conf -> dnsdist.conf 2021-04-18 13:34:28 +02:00
Morgan Jones
064e0af80b nixos/nebula: Add enable option defaulting to true to Nebula networks 2021-04-16 19:57:02 -07:00
Maximilian Bosch
84670bf681
wpa_supplicant: review fixes 2021-04-16 13:28:26 +02:00
Maximilian Bosch
08ced9d67f
nixos/wpa_supplicant: make new behavior opt-in 2021-04-16 13:18:46 +02:00
Maximilian Bosch
de0a39166b
wpa_supplicant: allow both imperative and declarative networks
For a while now it's possible to specify an additional config file in
`wpa_supplicant`[1]. In contrast to the file specified via `-c` this was
supposed to be used for immutable settings and not e.g. additional
networks.

However I'm a little bit unhappy about the fact that one has to choose
between a fully imperative setup and a fully declarative one where the
one would have to write credentials for e.g. WPA2-enterprise networks
into the store.

The primary problem with the current state of `wpa_supplicant` is that
if the `SAVE_CONFIG` command is invoked (e.g. via `wpa_cli`), all known
networks will be written to `/etc/wpa_supplicant.conf` and thus all
declarative networks would get out of sync with the declarative
settings.

To work around this, I had to change the following things:

* The `networking.wireless`-module now uses `-I` for declarative config,
  so the user-controlled mode can be used along with the
  `networks`-option.

* I added an `ro`-field to the `ssid`-struct in the
  `wpa_supplicant`-sources. This will be set to `1` for each network
  specified in the config passed via `-I`.

  Whenever config is written to the disk, those networks will be
  skipped, so changes to declarative networks are only temporary.

[1] https://w1.fi/cgit/hostap/commit/wpa_supplicant?id=e6304cad47251e88d073553042f1ea7805a858d1
2021-04-16 13:18:25 +02:00
Martin Weinelt
7cf67850c0
Merge branch 'master' into staging-next 2021-04-15 01:01:26 +02:00
Guillaume Girol
f1a2ab6818
Merge pull request from symphorien/usertype
nixos/users: require one of users.users.name.{isSystemUser,isNormalUser}
2021-04-14 19:38:26 +00:00
Symphorien Gibol
7a87973b4c nixos/users: require one of users.users.name.{isSystemUser,isNormalUser}
As the only consequence of isSystemUser is that if the uid is null then
it's allocated below 500, if a user has uid = something below 500 then
we don't require isSystemUser to be set.

Motivation: https://github.com/NixOS/nixpkgs/issues/112647
2021-04-14 20:40:00 +02:00
Vladimír Čunát
d2eb7a7887
Merge branch 'staging' into staging-next
A few conflicts but relatively clear ones (I think).
2021-04-14 10:08:25 +02:00
Graham Christensen
d72a60a59f
Merge pull request from grahamc/iscsi
NixOS: services.{openiscsi, target}, boot.iscsi-initiator: init
2021-04-13 13:19:34 -04:00
Martin Weinelt
8e1e78a735
nixos/babeld: allow AF_INET communication required for netlink socket
This broke after seccomp was updated from 2.5.0 to 2.5.1 in 22148780.
2021-04-13 02:41:54 +02:00
Sandro
000af0d8bf
Merge pull request from rhoriguchi/networkmanager
nixos/networkmanager: add missing kernel module for wpa authentication
2021-04-12 20:18:32 +02:00
Sandro
0c1d21dfa8
Merge pull request from yoctocell/privoxy-module-fix-forward-socks5
nixos/privoxy: add missing "/" to "forward-socks5" option
2021-04-12 16:49:29 +02:00