Commit graph

962 commits

Author SHA1 Message Date
Adam C. Stephens
b52452f8c7
Merge pull request #291951 from amarshall/zfs-pkgs-renaming
zfs: rename zfsStable -> zfs_2_2; zfsUnstable -> zfs_unstable; remove enableUnstable option in favor of package
2024-03-01 10:09:12 -05:00
K900
8be79e54c5 nixos/pam/kwallet: rename option, allow setting package 2024-02-28 18:49:33 +03:00
Andrew Marshall
2e36c49949 nixos/pam: Do not incorrectly use zfs.enableUnstable in assertion
`zfs.enableUnstable` only has an effect if `zfs.enabled = true`, so only
require `zfs.enabled` to be true here.
2024-02-27 18:46:00 -05:00
Ryan Lahfa
d9e7a2a88a
Merge pull request #286857 from RaitoBezarius/cacerts
nixos/security/ca: enable support for compatibility bundles
2024-02-11 19:44:02 +01:00
Raito Bezarius
19159a2349 nixos/security/ca: enable support for compatibility bundles
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use
our NixOS CA bundle.

For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional
trust rules.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-02-11 17:51:00 +01:00
Raito Bezarius
2d78f55438 pam_usb, nixos/pam-usb: drop
`security.pam.usb` is broken anyway and upstream has abandoned the software.
2024-02-08 02:59:45 +01:00
Sandro
4494fcaab7
nixos/acme: default to lets encrypt production URL instead of null, mention lets encrypt staging URI (#270221) 2024-02-06 01:51:09 +01:00
Rhys Davies
d102910f47
nixos/pam: Add pam_intune 2024-02-02 10:01:52 +13:00
Pierre Bourdon
3484985991
Merge pull request #285587 from edef1c/wrapper-cve-2023-6246
nixos/modules/security/wrappers: limit argv0 to 512 bytes
2024-02-01 19:18:45 +01:00
edef
b4c9840652 nixos/modules/security/wrappers: limit argv0 to 512 bytes
This mitigates CVE-2023-6246, crucially without a mass-rebuild.

Change-Id: I762a0d489ade88dafd3775d54a09f555dc8c2527
2024-02-01 18:16:55 +00:00
Adam Stephens
75ec325cb9
nixos/pam: remove pam_cgfs
pam_cgfs is a cgroups-v1 pam module. Verified with upstream that
this module no longer necessary on cgroups-v2 systems.
2024-01-31 17:19:23 -05:00
éclairevoyant
b43dcaf48f
nixos/acme: fix assertion for renamed option 2024-01-19 16:28:56 -05:00
mian | mian
fbe9d95ed9
fix semi-colon missing 2024-01-18 16:31:54 +08:00
Peder Bergebakken Sundt
dff635f38d
Merge pull request #243169 from 2xsaiko/outgoing/krb5
nixos/krb5: cleanup, fix and RFC42-ify
2024-01-10 21:06:15 +01:00
nicoo
0e5c95035d nixos/pam: Fix use of renamed enableSSHAgentAuth option 2024-01-08 18:13:46 +00:00
Maciej Krüger
b5b2f6bec4
Merge pull request #277620 from nbraud/nixos/pam/ssh-agent-auth-31611
nixos/pam: Add option for ssh-agent auth's trusted authorized_keys files
2024-01-08 17:42:02 +01:00
Maciej Krüger
c931d73fba
Merge pull request #276499 from nbraud/nixos/pam/ssh-agent-auth
nixos/pam: Add assertion for SSH-agent auth
2024-01-07 13:54:27 +01:00
nicoo
2eac5106f1 nixos/sudo: Remove unused enableSSHAgentAuth let-binding 2024-01-04 17:30:09 +00:00
nicoo
9ed1423dcf nixos/pam: Warn on insecure sshAgentAuth configurations 2024-01-04 17:30:09 +00:00
nicoo
822c0a86bd nixos/pam: Add sshAgentAuth.authorizedKeysFiles option 2024-01-03 14:49:36 +00:00
nicoo
a46ea51ca3 nixos/pam: Rename option enableSSHAgentAuth to sshAgentAuth.enable 2024-01-03 14:49:36 +00:00
Maciej Krüger
4f9e98905e
nixos/auditd: fix typo
Would otherwise fail with

```
       error: A definition for option `systemd.services.auditd.conflicts."[definition 1-entry 1]"' is not of type `string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)'. Definition values:
       - In `/nix/store/x2khl2yx0vz2i357x7mz5xm1kagql8ag-source/nixos/modules/security/auditd.nix': "shutdown.target "
```
2024-01-01 17:28:46 +01:00
nicoo
607679c6d3 nixos/pam: Assert that authorizedKeysFiles is non-empty when using pam_ssh_agent_auth 2023-12-30 22:19:38 +00:00
nikstur
d0014a531e nixos/wrappers: order service after sysusers service 2023-12-29 03:41:45 +01:00
nikstur
65ff518a0d nixos/ipa: replace activationScript
Replaced with a dedicated systemd service.
2023-12-29 03:41:45 +01:00
nikstur
c9569af3e0
Merge pull request #271326 from philiptaron/shutdown.target
treewide: depend on `shutdown.target` if `DefaultDependencies=no` in almost every case
2023-12-27 08:33:26 +01:00
Sandro Jäckel
35ca689119
nixos/wrapper: add basename of the wrapped program to the wrappers name to easily identify it
Also fix the comment with test instructions
2023-12-24 20:36:12 +01:00
nicoo
1e9e8a0db0 nixos/sudo-rs: Removed unused let-binding
Leftover from bcc2d1238a
2023-12-24 13:58:08 +00:00
Marco Rebhan
5ee94c0170
nixos/krb5: add h7x4 as maintainer 2023-12-21 11:38:22 +01:00
Marco Rebhan
a4a9be35f4
nixos/krb5: add myself as maintainer for module & tests 2023-12-21 11:38:18 +01:00
Marco Rebhan
fed77d1705
nixos/krb5: move to security.krb5 2023-12-21 11:35:26 +01:00
pennae
90c53f5341
Merge pull request #270224 from SuperSandro2000/patch-2
nixos/acme: add syntax highlighting to code blocks
2023-12-11 09:03:32 +01:00
Sandro
5a64fb2799
nixos/acme: add syntax highlighting to code blocks 2023-12-10 19:59:22 +01:00
Philip Taron
a7a5b2eca1
nixos/suid-sgid-wrappers: ensure correct ordering w.r.t. shutdown.target 2023-11-30 15:03:56 -08:00
Philip Taron
d7ab46ed87
nixos/duosec: ensure correct ordering w.r.t. shutdown.target 2023-11-30 15:02:51 -08:00
Philip Taron
407ef67228
nixos/auditd: ensure correct ordering w.r.t. shutdown.target
This looks like it's got a few other idiosyncrasies, but I'll leave it
alone for now.
2023-11-30 15:00:39 -08:00
Philip Taron
454f3cb58d
nixos/apparmor: ensure correct ordering w.r.t. shutdown.target 2023-11-30 14:57:59 -08:00
Weijia Wang
feeae486de
Merge pull request #261702 from h7x4/replace-mkoption-with-mkpackageoption
treewide: use `mkPackageOption`
2023-11-30 02:49:30 +01:00
h7x4
0a37316d6c
treewide: use mkPackageOption
This commit replaces a lot of usages of `mkOption` with the package
type, to be `mkPackageOption`, in order to reduce the amount of code.
2023-11-27 01:28:36 +01:00
nicoo
bcc2d1238a nixos/sudo-rs: Move support for pam_ssh_agent_auth(8) to PAM's NixOS module
Similar to delroth's suggestion in #262790.
2023-11-25 14:11:25 +00:00
nicoo
f5d059b1f5 nixos/sudo-rs: Clarify security.sudo-rs.enable's description 2023-11-25 14:11:24 +00:00
nicoo
46aaa5be70 nixos/sudo-rs: Refactor option definitions 2023-11-25 14:11:24 +00:00
nicoo
03db94319a nixos/sudo-rs: refactor processing of cfg.extraRules 2023-11-25 14:11:24 +00:00
nicoo
9b0a63c2fe nixos/sudo-rs: Fix bug putting the wrong version of sudo in environment.systemPackages 2023-11-25 14:11:24 +00:00
nicoo
165b600f01 nixos/sudo-rs: Drop checks for sudo implementation 2023-11-25 14:11:23 +00:00
nicoo
cd42b18a2c nixos/sudo-rs: uniformize ssh-agent auth behaviour with security.sudo 2023-11-25 14:11:23 +00:00
nicoo
b05648b541 nixos/sudo-rs: Simplify activation 2023-11-25 14:11:23 +00:00
ners
ed31e0235e treewide: replace broken udev paths with systemd 2023-11-21 15:09:38 +01:00
Léo Gaspard
b1c25de57b
nixos/acme: do not eat Let's Encrypt's request limits if misconfigured on first try (#266155) 2023-11-14 20:29:50 +01:00
nicoo
d5a8e667d2 nixos/sudo: Update assertion message 2023-11-14 12:25:55 +00:00