Commit graph

272 commits

Author SHA1 Message Date
Aaron Andersen
559449530f
Merge pull request #132319 from onny/opensnitch
nixos/opensnitch: Add module for opensnitch
2021-09-19 11:31:21 -04:00
rnhmjoj
64f5d681d9
nixos/physlock: fix broken wrapper
- `user` doesn't exist -> `owner`
- set `setuid,group` as well (no longer optional)
2021-09-19 11:53:41 +02:00
Jonas Heinrich
94f775024e Opensnitch: Add module 2021-09-14 18:51:23 +02:00
Bobby Rong
39261adc92
Merge pull request #135626 from delroth/tor-netlink
nixos/tor: allow AF_NETLINK address family
2021-09-14 22:57:34 +08:00
Guillaume Girol
3592034595
Merge pull request #133166 from symphorien/nonogroup
Don't default to nogroup for the primary group of users.
2021-09-13 18:29:21 +00:00
Guillaume Girol
bc3bca822a nixos: define the primary group of users where needed 2021-09-12 14:59:30 +02:00
Maximilian Bosch
69e75754d5
nixos/privacyidea: use sudo(8) that's configured via the module 2021-09-08 22:45:50 +02:00
Pierre Bourdon
6b70d3e911
nixos/tor: allow AF_NETLINK address family
Tor attempts to detect what external IP address a machine is using by
listing addresses on all network interfaces on the system. This listing
is done using getifaddrs(3), which relies on netlink in order to get
IPv6 address information.

This change fixes Tor not finding the relay's IPv6 address unless
explicitly configured via either an ORPort directive or via DNS
resolution of the machine hostname.
2021-08-25 06:03:41 +02:00
Elis Hirwing
09a49354b6
nixos/hockeypuck: Add service for hockeypuck 2021-07-19 07:33:01 +02:00
Antoine Martin
2463620fc2
nixos/vaultwarden: make package configurable (#113216)
This allows the user to override the version of Vaultwarden used by the
service, if using an overlay to keep up to date with releases for
example.
2021-07-14 17:20:10 -04:00
K900
dc1b56c714 vaultwarden: update to 1.22.1, rename from bitwarden_rs
I tried to make this as non-breaking as possible, but it will still
break things slightly for people expecting certain file names in the
packages themselves.
2021-07-01 12:31:20 +03:00
Niklas Hambüchen
a48fea4c5e sshd service: Default to INFO logLevel (upstream default).
The previous justification for using "VERBOSE" is incorrect,
because OpenSSH does use level INFO to log "which key was used
to log in" for sccessful logins, see:
6247812c76/auth.c (L323-L328)

Also update description to the wording of the sshd_config man page.

`fail2ban` needs, sshd to be "VERBOSE" to work well, thus
the `fail2ban` module sets it to "VERBOSE" if enabled.

The docs are updated accordingly.
2021-06-23 01:49:11 +02:00
Maximilian Bosch
5aad4e73b6
privacyIDEA: 3.5.2 -> 3.6
ChangeLog: https://github.com/privacyidea/privacyidea/releases/tag/v3.6

Unfortunately we have to use `sqlalchemy` at 1.3 for `sqlsoup`. As
`sqlalchemy` is required by a lot of packages, I decided to move this
package out of `pythonPackages` itself and instantiate a new
`pythonPackages` inside the expression where `sqlalchemy` points to
`sqlalchemy_1_3`.
2021-06-22 15:36:36 +02:00
talyz
b4c069b147
nixos/fail2ban: Remove reloadIfChanged = true
This makes the service fail when upgrading the package, so let's
properly restart it instead.
2021-06-16 13:52:46 +02:00
Ivan Kozik
d95960e275 nixos/bitwarden_rs: fix startup on 32 thread machines
LimitNPROC=64 is too low for bitwarden_rs to start on a 32 thread machine.
Remove the limit.

This fixes:

```
bitwarden_rs[38701]: /--------------------------------------------------------------------\
bitwarden_rs[38701]: |                       Starting Bitwarden_RS                        |
bitwarden_rs[38701]: |--------------------------------------------------------------------|
bitwarden_rs[38701]: | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
bitwarden_rs[38701]: | official channels to report bugs/features, regardless of client.   |
bitwarden_rs[38701]: | Send usage/configuration questions or feature requests to:         |
bitwarden_rs[38701]: |   https://bitwardenrs.discourse.group/                             |
bitwarden_rs[38701]: | Report suspected bugs/issues in the software itself at:            |
bitwarden_rs[38701]: |   https://github.com/dani-garcia/bitwarden_rs/issues/new           |
bitwarden_rs[38701]: \--------------------------------------------------------------------/
bitwarden_rs[38701]: [INFO] No .env file found.
bitwarden_rs[38701]: [2021-05-24 03:34:41.121][bitwarden_rs::api::core::sends][INFO] Initiating send deletion
bitwarden_rs[38701]: [2021-05-24 03:34:41.122][start][INFO] Rocket has launched from http://127.0.0.1:8222
bitwarden_rs[38701]: [2021-05-24 03:34:41.126][panic][ERROR] thread 'unnamed' panicked at 'failed to spawn thread: Os { code: 11, kind: WouldBlock, message: "Resource temporarily unavailable" }': /build/rustc-1.52.1-src/library/std/src/thread/mod.rs:620
bitwarden_rs[38701]:    0: bitwarden_rs::init_logging::{{closure}}
bitwarden_rs[38701]:    1: std::panicking::rust_panic_with_hook
bitwarden_rs[38701]:    2: std::panicking::begin_panic_handler::{{closure}}
bitwarden_rs[38701]:    3: std::sys_common::backtrace::__rust_end_short_backtrace
bitwarden_rs[38701]:    4: rust_begin_unwind
bitwarden_rs[38701]:    5: core::panicking::panic_fmt
bitwarden_rs[38701]:    6: core::result::unwrap_failed
bitwarden_rs[38701]:    7: hyper::server::listener::spawn_with
bitwarden_rs[38701]:    8: hyper::server::listener::ListenerPool<A>::accept
bitwarden_rs[38701]:    9: std::sys_common::backtrace::__rust_begin_short_backtrace
bitwarden_rs[38701]:   10: core::ops::function::FnOnce::call_once{{vtable.shim}}
bitwarden_rs[38701]:   11: std::sys::unix:🧵:Thread:🆕:thread_start
bitwarden_rs[38701]:   12: start_thread
bitwarden_rs[38701]:   13: __GI___clone
bitwarden_rs[38701]: [2021-05-24 03:34:41.126][panic][ERROR] thread 'main' panicked at 'internal error: entered unreachable code: the call to `handle_threads` should block on success': /build/bitwarden_rs-1.20.0-vendor.tar.gz/rocket/src/rocket.rs:751
bitwarden_rs[38701]:    0: bitwarden_rs::init_logging::{{closure}}
bitwarden_rs[38701]:    1: std::panicking::rust_panic_with_hook
bitwarden_rs[38701]:    2: std::panicking::begin_panic_handler::{{closure}}
bitwarden_rs[38701]:    3: std::sys_common::backtrace::__rust_end_short_backtrace
bitwarden_rs[38701]:    4: rust_begin_unwind
bitwarden_rs[38701]:    5: core::panicking::panic_fmt
bitwarden_rs[38701]:    6: rocket:🚀:Rocket::launch
bitwarden_rs[38701]:    7: bitwarden_rs::main
bitwarden_rs[38701]:    8: std::sys_common::backtrace::__rust_begin_short_backtrace
bitwarden_rs[38701]:    9: std::rt::lang_start::{{closure}}
bitwarden_rs[38701]:   10: std::rt::lang_start_internal
bitwarden_rs[38701]:   11: main
```
2021-05-24 04:36:17 +00:00
Martin Weinelt
7bd65d54f7 treewide: remove nand0p as maintainer
While looking at the sphinx package I noticed it was heavily
undermaintained, which is when we noticed nand0p has been inactive for
roughly 18 months. It is therefore prudent to assume they will not be
maintaining their packages, modules and tests.

- Their last contribution to nixpkgs was in 2019/12
- On 2021/05/08 I wrote them an email to the address listed in the
  maintainer-list, which they didn't reply to.
2021-05-17 01:50:49 +02:00
Tom
33a4c43126
nixos/tor: fix HidServAuth (#122439)
* add an example for services.tor.settings.HidServAuth

* fix HidServAuth validation to require ".onion"
  Per https://manpages.debian.org/testing/tor/torrc.5.en.html :
  > Valid onion addresses contain 16 characters in a-z2-7 plus ".onion"
2021-05-11 10:10:32 +02:00
Jean-Baptiste Giraudeau
62f241d445 nixos/oauth2_proxy_nginx: add nginx config only if oauth2_proxy is enabled. 2021-05-03 11:23:03 -07:00
Luke Granger-Brown
be598f3980
Merge pull request #120541 from pennae/fail2ban
nixos/fail2ban: add maxretry/extraPackages options
2021-05-01 15:09:24 +01:00
pennae
afb6fe2fff nixos/fail2ban: add extraPackages option
some ban actions need additional packages (eg ipset). since actions can be
provided by the user we need something general that's easy to configure.

we could also enable ipset regardless of the actual configuration of the system
if the iptables firewall is in use (like sshguard does), but that seems very
clumsy and wouldn't easily solve the binary-not-found problems other actions may
also have.
2021-04-24 18:14:56 +02:00
pennae
25c827b3cc nixos/fail2ban: add maxretry option
it's not possible to set a different default maxretry value in the DEFAULT jail
because the module already does so. expose the maxretry option to the
configuration to remedy this. (we can't really remove it entirely because
fail2ban defaults to 5)
2021-04-24 17:55:56 +02:00
Aaron Andersen
5f2a8deb17
Merge pull request #120324 from pennae/restart-sshguard
nixos/sshguard: restart sshguard when services/backend changes
2021-04-23 16:56:30 -04:00
pennae
265d31bcbd nixos/sshguard: restart sshguard when services/backend changes
backends changing shouldn't be very likely, but services may well change. we
should restart sshguard from nixos-rebuild instead of merely plopping down a new
config file and waiting for the user to restart sshguard.
2021-04-23 16:16:37 +02:00
Yorick van Pelt
279c7d43ee
nixos/oauth2_proxy: fix package name in nixos module 2021-04-18 14:21:38 +02:00
Graham Christensen
ffd29c76f6
Merge pull request #117928 from ymatsiuk/fprintd-tod
nixos/fprintd: add TOD support
2021-04-15 11:51:09 -04:00
Yurii Matsiuk
b29ed56049
nixos/fprintd: add TOD support
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Signed-off-by: Yurii Matsiuk <ymatsiuk@users.noreply.github.com>
2021-04-15 08:55:39 +02:00
Symphorien Gibol
7a87973b4c nixos/users: require one of users.users.name.{isSystemUser,isNormalUser}
As the only consequence of isSystemUser is that if the uid is null then
it's allocated below 500, if a user has uid = something below 500 then
we don't require isSystemUser to be set.

Motivation: https://github.com/NixOS/nixpkgs/issues/112647
2021-04-14 20:40:00 +02:00
Sandro
ab1a223747
Merge pull request #112322 from mohe2015/module/declarative-step-ca 2021-04-12 17:35:54 +02:00
Hedtke, Moritz
01b1ddfa70 Add mohe2015 as maintainer to step-ca and nixos/step-ca 2021-04-09 14:57:43 +02:00
Hedtke, Moritz
d848dd07e6 nixos/step-ca: Add declarative step-ca service
Co-authored-by: midchildan <git@midchildan.org>
2021-04-09 14:57:43 +02:00
Sandro Jäckel
9378fdf87e
iproute: deprecate alias 2021-04-04 01:43:46 +02:00
Maximilian Bosch
4a4f7dfb77
nixos/privacyidea: use envsubst to avoid leaking secrets to the store 2021-03-31 13:27:30 +02:00
Aaron Andersen
890327d751
Merge pull request #106698 from aanderse/nixos/clamav
nixos/clamav: add settings options to replace extraConfig options
2021-02-24 22:57:41 -05:00
Zhenya Vinogradov
cc26d8592f nixos/oauth2_proxy_nginx: specify hostname in X-Auth-Request-Redirect
Fixes redirection after signing in when you use a single oauth2_proxy
instance for multiple domains.

X-Auth-Request-Redirect header is used to decide which URL to redirect
to after signing in. Specifying `request_uri` is enough in case you
need to redirect to the same domain that serves oauth2 callback
endpoint, but with multiple domains the you should include the scheme
and the host.
2021-02-08 15:28:52 +03:00
Scriptkiddi
5ac119043d nixos/oauth2_proxy: add extraConfig type 2021-02-03 16:24:36 -08:00
Scriptkiddi
1d22f05d64 nixos/fprot: add type 2021-01-28 14:12:15 -08:00
volth
bc0d605cf1 treewide: fix double quoted strings in meta.description
Signed-off-by: Ben Siraphob <bensiraphob@gmail.com>
2021-01-24 19:56:59 +07:00
Robert Hensing
530df49d7a
Merge pull request #108411 from hercules-ci/vault-multiple-config-files
vault: Support multiple config files (no secrets in store)
2021-01-24 13:49:06 +01:00
Robert Hensing
04946f4246 nixos/vault: extraConfigPaths -> extraSettingsPaths
Align with RFC42 language, even if in advance of the actual settings
attribute.
2021-01-19 18:14:29 +01:00
Julien Moutinho
7a62c0bc95 nixos/tor: fix openFirewall when ORPort isInt 2021-01-12 10:14:14 +01:00
Griffin Smith
ee12216b9b fprintd: Use cfg.package instead of pkgs.fprintd
Use the configured package for fprintd in services.dbus.packages and
environment.systemPackages rather than hardcoding pkgs.fprintd.
2021-01-10 11:29:43 -05:00
Julien Moutinho
74f9321966 nixos/tor: fix client.dns.automapHostsSuffixes renaming 2021-01-05 22:34:01 +01:00
Robert Hensing
b413e7fd2a nixos/vault: Allow multiple config files 2021-01-04 19:00:30 +01:00
Julien Moutinho
0ccdd6f2b0 nixos/tor: improve type-checking and hardening
Fixes #77395.
Fixes #82790.
2021-01-04 01:02:26 +01:00
Alyssa Ross
e17d4b05a1 nixos/tor: don't do privoxy stuff by default
It's very surprising that services.tor.client.enable would set
services.privoxy.enable.  This violates the principle of least
astonishment, because it's Privoxy that can integrate with Tor, rather
than the other way around.

So this patch moves the Privoxy Tor integration to the Privoxy module,
and it also disables it by default.  This change is documented in the
release notes.

Reported-by: V <v@anomalous.eu>
2020-12-16 12:20:03 +00:00
Aaron Andersen
f3fc60b310 nixos/clamav: add settings options to replace extraConfig options 2020-12-11 19:56:08 -05:00
Peter Hoeg
aa995fb0b7 nixos/sshguard: do not do IPv6 setup/teardown unconditionally 2020-12-11 16:19:45 +08:00
zowoq
dbbd289982 nixos/*: fix indentation 2020-11-23 08:42:51 +10:00
lf-
b37bbca521 nixos/modules: fix systemd start rate-limits
These were broken since 2016:
f0367da7d1
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.

NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.

I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(ad16158c10/src/basic/ratelimit.c (L16))
2020-10-31 01:35:56 -07:00
Malte Brandy
cebf9198f3
treewide: De-inline uses of lib.boolToString
This commit should not change eval results
2020-10-14 01:46:17 +02:00