Commit graph

289 commits

Author SHA1 Message Date
pennae
fc614c37c6 nixos/documentation: split options doc build
most modules can be evaluated for their documentation in a very
restricted environment that doesn't include all of nixpkgs. this
evaluation can then be cached and reused for subsequent builds, merging
only documentation that has changed into the cached set. since nixos
ships with a large number of modules of which only a few are used in any
given config this can save evaluation a huge percentage of nixos
options available in any given config.

in tests of this caching, despite having to copy most of nixos/, saves
about 80% of the time needed to build the system manual, or about two
second on the machine used for testing. build time for a full system
config shrank from 9.4s to 7.4s, while turning documentation off
entirely shortened the build to 7.1s.
2022-01-02 19:46:13 +01:00
pennae
3dbb117aa5 nixos/aesmd: add missing defaultText 2021-12-29 20:12:03 +01:00
Maximilian Bosch
8f9f754271
nixos/privacyidea: increase buffer-size of uwsgi from 4096 to 8192
When accessing the Audit log, I get an HTTP 502 when the frontend
requests `/audit` and I get the following error in my `nginx`-log:

    Dec 20 22:12:48 ldap nginx[336]: 2021/12/20 22:12:48 [error] 336#336: *8421 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 10.237.0.1, server: _, request: "GET /audit/?action=**&action_detail=**&administrator=**&client=**&date=**&duration=**&info=**&page=1&page_size=10&policies=**&privacyidea_server=**&realm=**&resolver=**&serial=**&sortorder=desc&startdate=**&success=**&tokentype=**&user=** HTTP/1.1", upstream: "uwsgi://unix:/run/privacyidea/socket:", host: "ldap.ist.nicht-so.sexy", referrer: "https://ldap.ist.nicht-so.sexy/"

This is because of an "invalid request block size"-error according to
`journalctl -u privacyidea.service`:

    Dec 20 22:12:48 ldap uwsgi[10721]: invalid request block size: 4245 (max 4096)...skip

Increasing the buffer to 8192 fixes the problem for me.
2021-12-21 00:51:45 +01:00
Graham Christensen
06edb74413
Merge pull request #148785 from pennae/more-option-doc-staticizing
treewide: more defaultText for options
2021-12-17 11:14:08 -05:00
Vincent Haupert
0b5c9f81e2 nixos/aesmd: add module
Co-authored-by: Alex Zero <joseph@marsden.space>
2021-12-10 10:18:31 +01:00
pennae
ed673a69db treewide: add defaultText for options with simple cfg.* expression defaults
adds defaultText for options with defaults that use only literals, full config.*
paths, and the cfg shortcut binding.
2021-12-09 01:14:16 +01:00
pennae
fb0e5be843 treewide: add defaultText for options with simple interpolation defaults
adds defaultText for all options that use `cfg.*` values in their
defaults, but only for interpolations with no extra processing (other
than toString where necessary)
2021-12-09 01:13:48 +01:00
Robert Hensing
862d167f17
Merge pull request #147441 from pennae/option-doc-staticizing
nixos/*: add trivial defaultText to options where applicable
2021-12-06 01:35:38 +01:00
pennae
2512455639 nixos/*: add trivial defaultText for options with simple defaults 2021-12-02 22:35:04 +01:00
Moritz Hedtke
9d01ce82ac
nixos/tests: add step-ca test 2021-11-13 12:40:47 +01:00
Sandro
e5ac2e1a52
Merge pull request #122452 from ju1m/tor 2021-11-09 21:50:57 +01:00
Jasper Woudenberg
810b3b5fcd nixos/yubikey-agent add maintainer jwoudenberg 2021-10-29 23:13:50 +02:00
Jasper Woudenberg
4ceb33b982 nixos/yubikey-agent: start enabled agent on boot
This adds a `wantedBy` clause to the user systemd service for
yubikey-agent, to ensure an enabled agent is started on boot. This
brings the behavior inline with existing documentation.

If the user has selected a graphical pinentry program, then we need to
wait for the graphical environment to exist before starting the
yubikey-agent. I've found that if we start the agent earlier it will
fail when we perform an ssh command later.
2021-10-29 23:13:46 +02:00
Wei Tang
7c7cd951c5
nixos/step-ca: fix comment typo 2021-10-26 20:47:30 +02:00
Maximilian Bosch
47fc40d5ab
pythonPackages.privacyidea-ldap-proxy: 0.6.1 -> 0.6.2, switch to python3 2021-10-18 21:14:35 +02:00
Naïm Favier
2ddc335e6f
nixos/doc: clean up defaults and examples 2021-10-04 12:47:20 +02:00
Aaron Andersen
559449530f
Merge pull request #132319 from onny/opensnitch
nixos/opensnitch: Add module for opensnitch
2021-09-19 11:31:21 -04:00
rnhmjoj
64f5d681d9
nixos/physlock: fix broken wrapper
- `user` doesn't exist -> `owner`
- set `setuid,group` as well (no longer optional)
2021-09-19 11:53:41 +02:00
Jonas Heinrich
94f775024e Opensnitch: Add module 2021-09-14 18:51:23 +02:00
Bobby Rong
39261adc92
Merge pull request #135626 from delroth/tor-netlink
nixos/tor: allow AF_NETLINK address family
2021-09-14 22:57:34 +08:00
Guillaume Girol
3592034595
Merge pull request #133166 from symphorien/nonogroup
Don't default to nogroup for the primary group of users.
2021-09-13 18:29:21 +00:00
Guillaume Girol
bc3bca822a nixos: define the primary group of users where needed 2021-09-12 14:59:30 +02:00
Maximilian Bosch
69e75754d5
nixos/privacyidea: use sudo(8) that's configured via the module 2021-09-08 22:45:50 +02:00
Pierre Bourdon
6b70d3e911
nixos/tor: allow AF_NETLINK address family
Tor attempts to detect what external IP address a machine is using by
listing addresses on all network interfaces on the system. This listing
is done using getifaddrs(3), which relies on netlink in order to get
IPv6 address information.

This change fixes Tor not finding the relay's IPv6 address unless
explicitly configured via either an ORPort directive or via DNS
resolution of the machine hostname.
2021-08-25 06:03:41 +02:00
Elis Hirwing
09a49354b6
nixos/hockeypuck: Add service for hockeypuck 2021-07-19 07:33:01 +02:00
Antoine Martin
2463620fc2
nixos/vaultwarden: make package configurable (#113216)
This allows the user to override the version of Vaultwarden used by the
service, if using an overlay to keep up to date with releases for
example.
2021-07-14 17:20:10 -04:00
K900
dc1b56c714 vaultwarden: update to 1.22.1, rename from bitwarden_rs
I tried to make this as non-breaking as possible, but it will still
break things slightly for people expecting certain file names in the
packages themselves.
2021-07-01 12:31:20 +03:00
Niklas Hambüchen
a48fea4c5e sshd service: Default to INFO logLevel (upstream default).
The previous justification for using "VERBOSE" is incorrect,
because OpenSSH does use level INFO to log "which key was used
to log in" for sccessful logins, see:
6247812c76/auth.c (L323-L328)

Also update description to the wording of the sshd_config man page.

`fail2ban` needs, sshd to be "VERBOSE" to work well, thus
the `fail2ban` module sets it to "VERBOSE" if enabled.

The docs are updated accordingly.
2021-06-23 01:49:11 +02:00
Maximilian Bosch
5aad4e73b6
privacyIDEA: 3.5.2 -> 3.6
ChangeLog: https://github.com/privacyidea/privacyidea/releases/tag/v3.6

Unfortunately we have to use `sqlalchemy` at 1.3 for `sqlsoup`. As
`sqlalchemy` is required by a lot of packages, I decided to move this
package out of `pythonPackages` itself and instantiate a new
`pythonPackages` inside the expression where `sqlalchemy` points to
`sqlalchemy_1_3`.
2021-06-22 15:36:36 +02:00
talyz
b4c069b147
nixos/fail2ban: Remove reloadIfChanged = true
This makes the service fail when upgrading the package, so let's
properly restart it instead.
2021-06-16 13:52:46 +02:00
Ivan Kozik
d95960e275 nixos/bitwarden_rs: fix startup on 32 thread machines
LimitNPROC=64 is too low for bitwarden_rs to start on a 32 thread machine.
Remove the limit.

This fixes:

```
bitwarden_rs[38701]: /--------------------------------------------------------------------\
bitwarden_rs[38701]: |                       Starting Bitwarden_RS                        |
bitwarden_rs[38701]: |--------------------------------------------------------------------|
bitwarden_rs[38701]: | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
bitwarden_rs[38701]: | official channels to report bugs/features, regardless of client.   |
bitwarden_rs[38701]: | Send usage/configuration questions or feature requests to:         |
bitwarden_rs[38701]: |   https://bitwardenrs.discourse.group/                             |
bitwarden_rs[38701]: | Report suspected bugs/issues in the software itself at:            |
bitwarden_rs[38701]: |   https://github.com/dani-garcia/bitwarden_rs/issues/new           |
bitwarden_rs[38701]: \--------------------------------------------------------------------/
bitwarden_rs[38701]: [INFO] No .env file found.
bitwarden_rs[38701]: [2021-05-24 03:34:41.121][bitwarden_rs::api::core::sends][INFO] Initiating send deletion
bitwarden_rs[38701]: [2021-05-24 03:34:41.122][start][INFO] Rocket has launched from http://127.0.0.1:8222
bitwarden_rs[38701]: [2021-05-24 03:34:41.126][panic][ERROR] thread 'unnamed' panicked at 'failed to spawn thread: Os { code: 11, kind: WouldBlock, message: "Resource temporarily unavailable" }': /build/rustc-1.52.1-src/library/std/src/thread/mod.rs:620
bitwarden_rs[38701]:    0: bitwarden_rs::init_logging::{{closure}}
bitwarden_rs[38701]:    1: std::panicking::rust_panic_with_hook
bitwarden_rs[38701]:    2: std::panicking::begin_panic_handler::{{closure}}
bitwarden_rs[38701]:    3: std::sys_common::backtrace::__rust_end_short_backtrace
bitwarden_rs[38701]:    4: rust_begin_unwind
bitwarden_rs[38701]:    5: core::panicking::panic_fmt
bitwarden_rs[38701]:    6: core::result::unwrap_failed
bitwarden_rs[38701]:    7: hyper::server::listener::spawn_with
bitwarden_rs[38701]:    8: hyper::server::listener::ListenerPool<A>::accept
bitwarden_rs[38701]:    9: std::sys_common::backtrace::__rust_begin_short_backtrace
bitwarden_rs[38701]:   10: core::ops::function::FnOnce::call_once{{vtable.shim}}
bitwarden_rs[38701]:   11: std::sys::unix:🧵:Thread:🆕:thread_start
bitwarden_rs[38701]:   12: start_thread
bitwarden_rs[38701]:   13: __GI___clone
bitwarden_rs[38701]: [2021-05-24 03:34:41.126][panic][ERROR] thread 'main' panicked at 'internal error: entered unreachable code: the call to `handle_threads` should block on success': /build/bitwarden_rs-1.20.0-vendor.tar.gz/rocket/src/rocket.rs:751
bitwarden_rs[38701]:    0: bitwarden_rs::init_logging::{{closure}}
bitwarden_rs[38701]:    1: std::panicking::rust_panic_with_hook
bitwarden_rs[38701]:    2: std::panicking::begin_panic_handler::{{closure}}
bitwarden_rs[38701]:    3: std::sys_common::backtrace::__rust_end_short_backtrace
bitwarden_rs[38701]:    4: rust_begin_unwind
bitwarden_rs[38701]:    5: core::panicking::panic_fmt
bitwarden_rs[38701]:    6: rocket:🚀:Rocket::launch
bitwarden_rs[38701]:    7: bitwarden_rs::main
bitwarden_rs[38701]:    8: std::sys_common::backtrace::__rust_begin_short_backtrace
bitwarden_rs[38701]:    9: std::rt::lang_start::{{closure}}
bitwarden_rs[38701]:   10: std::rt::lang_start_internal
bitwarden_rs[38701]:   11: main
```
2021-05-24 04:36:17 +00:00
Martin Weinelt
7bd65d54f7 treewide: remove nand0p as maintainer
While looking at the sphinx package I noticed it was heavily
undermaintained, which is when we noticed nand0p has been inactive for
roughly 18 months. It is therefore prudent to assume they will not be
maintaining their packages, modules and tests.

- Their last contribution to nixpkgs was in 2019/12
- On 2021/05/08 I wrote them an email to the address listed in the
  maintainer-list, which they didn't reply to.
2021-05-17 01:50:49 +02:00
Tom
33a4c43126
nixos/tor: fix HidServAuth (#122439)
* add an example for services.tor.settings.HidServAuth

* fix HidServAuth validation to require ".onion"
  Per https://manpages.debian.org/testing/tor/torrc.5.en.html :
  > Valid onion addresses contain 16 characters in a-z2-7 plus ".onion"
2021-05-11 10:10:32 +02:00
Julien Moutinho
cd1f6bc712 nixos/tor: harden ProcSubset and ProtectProc 2021-05-10 16:50:41 +02:00
Jean-Baptiste Giraudeau
62f241d445 nixos/oauth2_proxy_nginx: add nginx config only if oauth2_proxy is enabled. 2021-05-03 11:23:03 -07:00
Luke Granger-Brown
be598f3980
Merge pull request #120541 from pennae/fail2ban
nixos/fail2ban: add maxretry/extraPackages options
2021-05-01 15:09:24 +01:00
pennae
afb6fe2fff nixos/fail2ban: add extraPackages option
some ban actions need additional packages (eg ipset). since actions can be
provided by the user we need something general that's easy to configure.

we could also enable ipset regardless of the actual configuration of the system
if the iptables firewall is in use (like sshguard does), but that seems very
clumsy and wouldn't easily solve the binary-not-found problems other actions may
also have.
2021-04-24 18:14:56 +02:00
pennae
25c827b3cc nixos/fail2ban: add maxretry option
it's not possible to set a different default maxretry value in the DEFAULT jail
because the module already does so. expose the maxretry option to the
configuration to remedy this. (we can't really remove it entirely because
fail2ban defaults to 5)
2021-04-24 17:55:56 +02:00
Aaron Andersen
5f2a8deb17
Merge pull request #120324 from pennae/restart-sshguard
nixos/sshguard: restart sshguard when services/backend changes
2021-04-23 16:56:30 -04:00
pennae
265d31bcbd nixos/sshguard: restart sshguard when services/backend changes
backends changing shouldn't be very likely, but services may well change. we
should restart sshguard from nixos-rebuild instead of merely plopping down a new
config file and waiting for the user to restart sshguard.
2021-04-23 16:16:37 +02:00
Yorick van Pelt
279c7d43ee
nixos/oauth2_proxy: fix package name in nixos module 2021-04-18 14:21:38 +02:00
Graham Christensen
ffd29c76f6
Merge pull request #117928 from ymatsiuk/fprintd-tod
nixos/fprintd: add TOD support
2021-04-15 11:51:09 -04:00
Yurii Matsiuk
b29ed56049
nixos/fprintd: add TOD support
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Signed-off-by: Yurii Matsiuk <ymatsiuk@users.noreply.github.com>
2021-04-15 08:55:39 +02:00
Symphorien Gibol
7a87973b4c nixos/users: require one of users.users.name.{isSystemUser,isNormalUser}
As the only consequence of isSystemUser is that if the uid is null then
it's allocated below 500, if a user has uid = something below 500 then
we don't require isSystemUser to be set.

Motivation: https://github.com/NixOS/nixpkgs/issues/112647
2021-04-14 20:40:00 +02:00
Sandro
ab1a223747
Merge pull request #112322 from mohe2015/module/declarative-step-ca 2021-04-12 17:35:54 +02:00
Hedtke, Moritz
01b1ddfa70 Add mohe2015 as maintainer to step-ca and nixos/step-ca 2021-04-09 14:57:43 +02:00
Hedtke, Moritz
d848dd07e6 nixos/step-ca: Add declarative step-ca service
Co-authored-by: midchildan <git@midchildan.org>
2021-04-09 14:57:43 +02:00
Sandro Jäckel
9378fdf87e
iproute: deprecate alias 2021-04-04 01:43:46 +02:00
Maximilian Bosch
4a4f7dfb77
nixos/privacyidea: use envsubst to avoid leaking secrets to the store 2021-03-31 13:27:30 +02:00
Aaron Andersen
890327d751
Merge pull request #106698 from aanderse/nixos/clamav
nixos/clamav: add settings options to replace extraConfig options
2021-02-24 22:57:41 -05:00