Commit Graph

448 Commits

Author SHA1 Message Date
h7x4
d167743c72
nixos/kanidm: declare online_backup options 2024-01-12 10:19:14 +01:00
Nick Cao
0b88c3d297
Merge pull request #265783 from Silver-Golden/bitwarden-directory-connector_pkgs
Bitwarden directory connector: init
2024-01-07 10:28:04 -05:00
Brendan Golden
f7c25138ea nixos/bitwarden-directory-connector: init at version
Added the module to use bitwarden-directory-connector.
2024-01-07 11:22:31 +00:00
Nick Cao
66ea36d4d3
Merge pull request #276159 from AtaraxiaSjel/fix/tor-obfs4proxy
nixos/tor: fix transport plugin exe name
2024-01-01 15:55:04 -05:00
markuskowa
15b39c2238
Merge pull request #275080 from SomeoneSerge/feat/munge-systemd
nixos/munge: update the systemd service
2023-12-30 00:11:12 +01:00
Dmitriy Kholkin
0929716b02
nixos/tor: fix transport plugin exe name 2023-12-29 23:20:15 +03:00
Someone Serge
b27c3e8252
nixos/munge: restart "on-failure" (the default was "no") 2023-12-17 22:18:06 +00:00
Someone Serge
515a26d997
nixos/munge: run in foreground instead of using pidfile
Confuse systemd less
2023-12-17 22:16:09 +00:00
Someone Serge
b29d689e3a
nixos/munge: ask for the optional time-sync.target 2023-12-17 22:16:06 +00:00
Someone Serge
8fe8a22578
nixos/munge: ask for network-online instead of network.target 2023-12-17 22:16:01 +00:00
Anderson Torres
d7605f18a9 nixos.shibboleth-sp: remove jammerful from meta.maintainers 2023-12-09 22:39:10 -03:00
happysalada
93c790aef3 nixos/clamav: add scanner service 2023-12-05 22:53:35 +00:00
happysalada
6b014e92de nixos/clamav: fix /run/clamav being removed 2023-12-05 22:53:35 +00:00
h7x4
79d3d59f58
treewide: replace mkPackageOptionMD with mkPackageOption 2023-11-30 19:03:14 +01:00
Weijia Wang
feeae486de
Merge pull request #261702 from h7x4/replace-mkoption-with-mkpackageoption
treewide: use `mkPackageOption`
2023-11-30 02:49:30 +01:00
fasheng
52c81e882b nixos/fail2ban: fix default value for banaction-allports
It's iptables-allports instead of iptables-allport.

https://github.com/fail2ban/fail2ban/tree/master/config/action.d
2023-11-29 16:17:53 +01:00
Someone Serge
d97d2fb271 nixos/clamav: ensure freshclam starts before clamav (if enabled) 2023-11-28 14:21:30 +00:00
h7x4
0a37316d6c
treewide: use mkPackageOption
This commit replaces a lot of usages of `mkOption` with the package
type, to be `mkPackageOption`, in order to reduce the amount of code.
2023-11-27 01:28:36 +01:00
happysalada
e5b0b76105 nixos/clamav: add fangfrisch updater 2023-11-24 09:09:46 +00:00
happysalada
eb746540a9 nixos/clamav: run as clamav user not root 2023-11-22 03:08:30 +00:00
happysalada
ef6b8ff15a nixos/clamav: use state and runtime directory 2023-11-22 03:08:30 +00:00
Maximilian Bosch
48459567ae nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989

First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.

The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).

After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].

So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that

* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
  `ensureUsers`. That way, the user is actually the owner and can
  perform `CREATE`.
* For such a postgres user, a database must be declared in
  `ensureDatabases`.

For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.

Regarding existing setups: there are effectively two options:

* Leave everything as-is (assuming that system user == db user == db
  name): then the DB user will automatically become the DB owner and
  everything else stays the same.

* Drop the `createDatabase = true;` declarations: nothing will change
  because a removal of `ensure*` statements is ignored, so it doesn't
  matter at all whether this option is kept after the first deploy (and
  later on you'd usually restore from backups anyways).

  The DB user isn't the owner of the DB then, but for an existing setup
  this is irrelevant because CREATE on the public schema isn't revoked
  from existing users (only not granted for new users).

[1] not really declarative though because removals of these statements
    are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
    because it IMHO falls into the category "manage the state on your
    own" (see the commit message). See also
    https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
    also add more things like collation for DBs or passwords that are
    _never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-13 17:16:25 +01:00
Maximilian Bosch
5927d55685
privacyidea: remove
Related to #262907 (Django3 removal from nixpkgs).

This package already required an unreasonable amount of maintenance
regularly for a such small leaf-package. It has a few highly outdated
dependencies (e.g. flask 1, jinja2 2.11, sqlalchemy 1.3).

After at least each Python package-set update one had to fix up a lot of
dependencies to fix the package itself, so it was only useful on stable
branches. And having so much outdated software in a security-sensitive
piece of software seems questionable.

Finally, globin and I won't be available for maintaining this now that
Mayflower is migrating to another solution (and we'll do that as well)
and I'd expect this to bitrot extremely quick if we both bail out.
2023-10-31 14:17:48 +01:00
nikstur
95e6dfd5d9
Merge pull request #260275 from thillux/jitterentropy-rngd
jitterentropy-rngd: init at 1.2.8
2023-10-21 19:10:51 +02:00
Sandro Jäckel
7f94b9e9c6
nixos/fail2ban: change bantime default to not be config breaking 2023-10-21 02:38:29 +02:00
Markus Theil
e98a8367ec jitterentropy-rngd: init at 1.2.8
Add jitterentropy-rngd, a tool similar to rng-tools.
While not necessarily needed, it is useful for those
who want to strengthen their kernel entropy input pool
by periodic insertion of an independent source.

The entropy source is a NIST SP800-90B compliant
non-physical true RNG source on most systems.
See the jitterentropy documentation for details
(http://chronox.de/jent/doc/CPU-Jitter-NPTRNG.pdf).

Signed-off-by: Markus Theil <theil.markus@gmail.com>
2023-10-20 10:04:11 +02:00
Christopher Crouse
f9947192cb
nixos/opensnitch: fix typo and enable new system rules
Fixed typo to enable [new system rules](https://github.com/evilsocket/opensnitch/wiki/System-rules#upgrading-from-previous-versions)

Fixes: https://github.com/NixOS/nixpkgs/issues/256290
2023-10-17 18:00:48 +00:00
Artturi
22e61b1402
nixos/fail2ban: also inherit bantime (#244688)
nixos/fail2ban: also inherit bantime
2023-10-17 09:40:39 +03:00
Jean-François Roche
fb3723fe52
nixos/tang: create module for tang server (#247037)
This commit adds a module for the tang server and the related nixos test.
2023-10-16 13:10:15 +02:00
Andreas Wiese
1e8b8e6d38 nixos/usbguard: don't use path literal for pure evaluation
PR#256295 reintroduced ruleFile option, but set the default as a path
literal, which was a "string path" previously.  This breaks evaluation
for being impure:

  error: access to absolute path '/var/lib/usbguard/rules.conf' is forbidden in pure eval mode (use '--impure' to override)
2023-09-27 11:22:09 +02:00
0x4A6F
a0db07dad5
Merge pull request #256295 from Janik-Haag/usbguard
nixos/usbguard: restore ruleFile option
2023-09-25 22:05:36 +02:00
Janik H.
3b673297e7
nixos/usbguard: restore ruleFile option 2023-09-20 13:55:55 +02:00
Niklas Hambüchen
c460434104 nixos/vaultwarden: Fix doubly-nested config value. Fixes evaluation 2023-09-19 16:46:08 +00:00
Sagi Sarussi
f3cf8b679b nixos/kanidm: fix broken doc links 2023-08-31 14:03:30 +03:00
Ilan Joselevich
fb1f530bc6
Merge pull request #249521 from Kranzes/oauth2-proxy
nixos/oauth2_proxy: service after network.target -> network-online.target
2023-08-17 03:16:10 +03:00
Ilan Joselevich
0a732d2adf
nixos/oauth2_proxy: service after network.target -> network-online.target 2023-08-16 14:40:33 +03:00
h7x4
655a04a8fa
nixos/kanidm: add package option
Signed-off-by: h7x4 <h7x4@nani.wtf>
2023-08-15 10:05:44 +02:00
Jonas Heinrich
c5f4a46036 nixos/opensnitch: Add support for EPBF process monitor
Co-authored-by: Slime90
2023-08-13 22:19:48 +08:00
Martin Weinelt
184d15cc06
kanidm: 1.1.0-alpha.12 -> 1.1.0-beta.13
https://github.com/kanidm/kanidm/releases/tag/v1.1.0-beta.13

The kanidmd process now creates a unix socket, over which admin tasks
can be done, without having to shut kanidm down first.

The kanidm_unixd process now wants access to /etc/shadow and /etc/group,
so it can rule out collisions with the host system.
2023-08-01 17:13:58 +02:00
Tim
28a081c736
also inherit bantime 2023-07-21 18:48:20 +02:00
André Schröder
9858973dad nixos/vaultwarden: Fix Markdown syntax of link
The typo was introduced in 1d41cff3dc
2023-07-17 23:41:44 +02:00
Oliver Richter
9d6cd34766 esdm: init at 0.6.0
Signed-off-by: Oliver Richter <richter-oliver@gmx.net>
2023-07-13 16:08:12 +02:00
Lassulus
0e1fc501c6
Merge pull request #241927 from ether42/usbguard
nixos/usbguard: rename services.usbguard.implictPolicyTarget to services.usbguard.implicitPolicyTarget
2023-07-12 18:58:30 +02:00
Felix Buehler
bec27fabee treewide: use lib.optional instead of 'then []' 2023-07-12 09:36:28 +01:00
Kevin Boulain
680ee304ca nixos/usbguard: rename services.usbguard.implictPolicyTarget to services.usbguard.implicitPolicyTarget 2023-07-06 15:34:40 +02:00
Lassulus
f751061a08
Merge pull request #237477 from accelbread/usbguard-dbus-support
nixos/usbguard: add USBGuard dbus daemon option
2023-07-05 23:13:10 +02:00
Ryan Lahfa
7672c1e9ae
Merge pull request #201907 from Tom-Hubrecht/fail2ban 2023-07-02 13:57:47 +02:00
Niklas Hambüchen
080757c6c5 nixos/vaultwarden: Bind to localhost by default. See #100192 2023-07-01 15:35:28 +02:00
Tom Hubrecht
208ee8b2e2 nixos/fail2ban: use attrsets for settings instead of strings 2023-06-30 22:27:40 +02:00
Felix Buehler
933a41a73f treewide: use optional instead of 'then []' 2023-06-25 09:11:40 -03:00