This is needed because simp_le expects two certificates in fullchain.pem, leading to error:
> Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1.
We now create a CA and sign the key with it instead, providing correct fullchain.pem.
Also cleanup service a bit -- use PATH and a private temporary directory (which
is more suitable).
* bemenu: init at 2017-02-14
* velox: 2015-11-03 -> 2017-07-04
* orbment, velox: don't expose subprojects
the development of orbment and velox got stuck
their subprojects (bemenu, dmenu-wayland, st-wayland) don't work correctly outside of parent projects
so hide them to not confuse people
swc and wld libraries are unpopular and unlike wlc are not used by anything except velox
* pythonPackages.pydbus: init at 0.6.0
* way-cooler: 0.5.2 -> 0.6.2
* nixos/way-cooler: add module
* dconf module: use for wayland
non-invasive approach for #31293
see discussion at #32210
* sway: embed LD_LIBRARY_PATH for #32755
* way-cooler: switch from buildRustPackage to buildRustCrate #31150
Looking at upstream git repo (git://github.com/Yubico/pam-u2f.git) the
docs initially said the path was ~/.yubico/u2f_keys, but it was later
changed to ~/.config/Yubico/u2f_keys (in 2015).
I have run pam_u2f.so with "debug" option and observed that the correct
path indeed is ~/.config/Yubico/u2f_keys.
Currently, ecryptfs support is coupled to `security.pam.enableEcryptfs`, but one
might want to use ecryptfs without enabling the PAM functionality. This commit
splits it out into a `boot.supportedFilesystems` switch.
Ensure that modules required by all declared fileSystems are explicitly
loaded. A little ugly but fixes the deferred mount test.
See also https://github.com/NixOS/nixpkgs/issues/29019
This includes fuse-common (fusePackages.fuse_3.common) as recommended by
upstream. But while fuse(2) and fuse3 would normally depend on
fuse-common we can't do that in nixpkgs while fuse-common is just
another output from the fuse3 multiple-output derivation (i.e. this
would result in a circular dependency). To avoid building fuse3 twice I
decided it would be best to copy the shared files (i.e. the ones
provided by fuse(2) and fuse3) from fuse-common to fuse (version 2) and
avoid collision warnings by defining priorities. Now it should be
possible to install an arbitrary combination of "fuse", "fuse3", and
"fuse-common" without getting any collision warnings. The end result
should be the same and all changes should be backwards compatible
(assuming that mount.fuse from fuse3 is backwards compatible as stated
by upstream [0] - if not this might break some /etc/fstab definitions
but that should be very unlikely).
My tests with sshfs (version 2 and 3) didn't show any problems.
See #28409 for some additional information.
[0]: https://github.com/libfuse/libfuse/releases/tag/fuse-3.0.0
auditd creates an ordering cycle by adding wantedBy = [ "basic.target" ],
because of this the job job systemd-update-utmp.service/start is deleted.
Adding unitConfig.DefaultDependencies = false; to the auditd service unbreaks the cycle.
See also #11864
#11864 Support Linux audit subsystem
Add the auditd.service as NixOS module to be able to
generate profiles from /var/log/audit/audit.log
with apparmor-utils.
auditd needs the folder /var/log/audit to be present on start
so this is generated in ExecPreStart.
auditd starts with -s nochange so that effective audit processing
is managed by the audit.service.
* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates
Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.
The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.
The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session. This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).
From an aestethic point of view, enabling this option helps make the
configuration more "declarative".
Closes https://github.com/NixOS/nixpkgs/pull/24681
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1]. Consequently, we can no longer
responsibly support grsecurity on NixOS.
This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother. For 17.09 all of it should
probably be pruned.
[1]: https://grsecurity.net/passing_the_baton.php
This reduces the time window during which IP addresses are gone during
switch-to-configuration. A complication is that with stopIfChanged =
true, preStop would try to delete the *new* IP addresses rather than
the old one (since the preStop script now runs after the switch to the
new configuration). So we now record the actually configured addresses
in /run/nixos/network/addresses/<interface>. This is more robust in
any case.
Issue https://github.com/NixOS/nixops/issues/640.
Commit 75f131da02 added
`chown 'nginx:nginx' '/var/lib/acme'` to the pre-start script,
but since it doesn't use `chown -R`, it is possible that there
are older existing subdirs (like `acme-challenge`)
that are owned to `root` from before that commit went it.