Bind mount the base dirs of the tls key and chain into the service.
Make sure to bind every directory just once. The test failed on ofborg
when /nix/store and the certificate path in /nix/store/<some path> were
bound.
Issue: after installing, running `yubikey-agent -setup` produces the
following error:
```
nixOS: Failed to connect to the YubiKey: connecting to pscs: the Smart
card resource manager is not running
```
More on this issue: https://github.com/FiloSottile/yubikey-agent/issues/137
The previous changes for the 3.8 update are ready, but staging got
merged into master, so there are a few more challenges to tackle:
* Use python 3.10 now since it's actually supported and less effort to
build (3.9 isn't recursed into anymore).
* sphinx doesn't build with these overrides, so patch it out entirely
(i.e. drop `sphinxHook` where it's causing problems).
* backport a few jinja2 fixes for python 3.10 that were fixed in later
versions, but break because this env is stuck to 2.11.
- Adds an update script to fetch the compatible web vault version
- Removes `vaultwarden-vault` from top-level to prevent independent
updates through e.g. r-ryantm. Istead the vault is now accessible
at `vaultwarden.webvault`.
- The name webvault was chosen because it is the title of the projects
README and it makes it clearer, that this is the web UI.
Changes sgx-psw to append `aesm` to `LD_LIBRARY_PATH`:
- Append instead of prepend to allow for overriding in service config
- As we already add a wrapper to add `aesm` to `LD_LIBRARY_PATH` it is
not necessary to also set in `LD_LIBRARY_PATH` of the systemd service.
Co-authored-by: Vincent Haupert <mail@vincent-haupert.de>
Add an option for physlock's -m flag, which mutes kernel messages on the
console. This ensures that the password prompt is the only thing on the
screen and isn't lost in a flood of kernel messages.
`privacyidea-token-janitor`[1] is a tool which helps to automate
maintenance of tokens. This is helpful to identify e.g. orphaned tokens,
i.e. tokens of users that were removed or tokens that were unused for a
longer period of time and apply actions to them (e.g. `disable` or
`delete`).
This patch adds two new things:
* A wrapper for `privacyidea-token-janitor` to make sure it's executable
from CLI. To achieve this, it does a `sudo(8)` into the
`privacyidea`-user and sets up the environment to make sure the
configuration file can be found. With that, administrators can
directly invoke it from the CLI without additional steps.
* An optional service is added which performs automatic cleanups of
orphaned and/or unassigned tokens. Yes, the tool can do way more
stuff, but I figured it's reasonable to have an automatic way to clean
up tokens of users who were removed from the PI instance. Additional
automation steps should probably be implemented in additional
services (and are perhaps too custom to add them to this module).
[1] https://privacyidea.readthedocs.io/en/v3.7/workflows_and_tools/tools/index.html
In order to be able to use the unixd service with the `verify_ca` and
`verify_hostnames` set to `true` it needs to be able to read the
certificate store. This change bind mounts the cacert paths for the
unixd service.
most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.