Commit graph

91 commits

Author SHA1 Message Date
Evgeny Egorochkin
a9e4eca8bf Apparmor: check that we are running an AppArmor-enabled kernel. 2013-05-10 16:07:56 +03:00
Evgeny Egorochkin
44eb1bac65 Apparmor: add a warning 2013-05-10 14:57:48 +03:00
Eelco Dolstra
fef5a18587 Enable sudoedit 2013-04-03 13:27:41 +02:00
Lluís Batlle i Rossell
86c1e10a43 Setting pam otpw *after* pam_unix, for dovecot failed auth messages.
I think it's nice that it first asks the usual password, and then offers the
otpw one if enabled. That enables dovecot to show the last pam prompt.

I also add the dovecot option for that.
2013-03-30 22:25:19 +01:00
Lluís Batlle i Rossell
c53bd1b279 pam: adding otpw optional, default false 2013-03-30 21:06:23 +01:00
Eelco Dolstra
ae4e94d9ac Rename ‘boot.systemd’ to ‘systemd’
Suggested by Mathijs Kwik.  ‘boot.systemd’ is a misnomer because
systemd affects more than just booting.  And it saves some typing.
2013-01-16 12:33:18 +01:00
Eelco Dolstra
61f1df279f Remove bogus comment 2013-01-15 17:34:24 +01:00
Eelco Dolstra
0b399d8e49 Revert "Remove obsolete environment variables"
This reverts commit ac8080b83c.
2013-01-15 17:34:01 +01:00
Eelco Dolstra
ac8080b83c Remove obsolete environment variables 2013-01-15 16:53:40 +01:00
Eelco Dolstra
251f8546c9 pam_ssh_agent_auth: Use /etc/ssh/authorized_keys.d 2012-12-17 21:14:09 +01:00
Eelco Dolstra
b1da38f564 Merge remote-tracking branch 'origin/master' into systemd 2012-11-30 16:12:04 +01:00
Shea Levy
a5ef0ffe12 rngd: Require /dev/random, only start when a hardware randomness source becomes available 2012-11-26 08:45:23 -05:00
Eelco Dolstra
f3c9c83e04 Make it easier to append to the default sudo configuration 2012-11-23 15:14:16 +01:00
Shea Levy
e76eb7f1a7 Disable rngd by default while I work on some patches to make it more systemd-friendly 2012-11-22 10:14:41 -05:00
Eelco Dolstra
77891f8d59 Typo 2012-11-22 10:41:54 +01:00
Shea Levy
cd513482d4 Add rngd service.
Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c
2012-11-22 02:07:25 -05:00
Rickard Nilsson
6099451662 Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-11-20 16:39:45 +01:00
aszlig
1c28b86749
pam: Douchebag commit, fix alphabetical order.
Yes, I'm going to get back to school and learn the alphabet. I promise!

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-11-05 09:41:24 +01:00
aszlig
6e6ee3278c
pam: Add default configuration for GNU screen.
This is needed in order to properly lock your screen using the C-a C-x
(lockscreen) command _and_ being back to re-login, because the "other" PAM
service/fallback is to deny authentication.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-11-05 09:40:15 +01:00
Eelco Dolstra
224c825a36 Add option ‘users.motd’ for setting a message of the day shown on login
Note that this uses pam_motd.
2012-10-23 09:10:48 -04:00
Eelco Dolstra
08f14b33c1 Merge branch 'master' of github.com:NixOS/nixos into systemd 2012-08-20 11:27:38 -04:00
Eelco Dolstra
6547ecb72f Remove policykit.nix (old PolicyKit module)
Only the HAL module needed it.
2012-08-17 14:47:37 -04:00
Eelco Dolstra
490ce3a230 PAM: Rename ownDevices to startSession
Logind sessions are more generally useful than for device ownership.
For instances, ssh logins can be put in their own session (and thus
their own cgroup).
2012-08-17 13:48:22 -04:00
Peter Simons
a025e848e0 modules/security/sudo.nix: added 'wheelNeedsPassword' option (default: true)
Change this setting to 'false' to allow users in the 'wheel' group to execute
commands as super user without entering a password.
2012-08-13 14:37:32 +02:00
Eelco Dolstra
d4fec178fd Merge remote-tracking branch 'origin/master' into systemd 2012-08-02 13:44:16 -04:00
Florian Friesdorf
14a8532ee0 add NIX_CONF_DIR to sudo env_keep variables (suggested by Eelco Dolstra)
this enables nix-collect-garbage under sudo to respect nix.conf, e.g.:

    gc-keep-outputs = true
    gc-keep-derivations = true
2012-07-27 12:25:11 +02:00
Your Name
4549bad2f4 AppArmor: packaged 2012-07-22 16:31:49 +03:00
Mathijs Kwik
26bf696350 Revert "allow out-of-tree nixos modules"
This reverts commit b609ff4fcf.

It turns out this can just be done using "require".
2012-07-21 18:30:58 +02:00
Mathijs Kwik
b609ff4fcf allow out-of-tree nixos modules
The environment variable "NIXOS_EXTRA_MODULES" is now checked to
contain a path to a file similar to modules/module-list.nix.

This gives the ability to include nixos modules that are not in the
nixos source tree.

This can be useful for modules that are still experimental, or which
aren't useful for other nixos users. Of course, this was already
possible to do this using a forked nixos tree, but with this
functionality, you can just rely on the nixos channel, easing things a
lot.
2012-07-21 17:35:50 +02:00
Peter Simons
4553a27a92 modules/security/pam.nix: add xscreensaver to the list of services 2012-07-17 13:01:09 +02:00
Eelco Dolstra
66f4d10843 Use pam_systemd.so to set up device ownership
This removes the need for ConsoleKit, so it's gone.
2012-06-15 14:51:48 -04:00
Eelco Dolstra
63517eca1b * Actually use the security.pam.enableSSHAgentAuth option.
http://hydra.nixos.org/build/2698800

svn path=/nixos/trunk/; revision=34483
2012-06-12 20:21:15 +00:00
Eelco Dolstra
03653d43eb * Add support for sudo authentication using the SSH agent. This
allows password-less servers.

svn path=/nixos/trunk/; revision=34474
2012-06-11 22:41:07 +00:00
Peter Simons
51b5da4023 modules/security/pam.nix: sort security.pam.services alphabetically
svn path=/nixos/trunk/; revision=34437
2012-06-11 07:12:41 +00:00
Peter Simons
5c3593be46 Add PAM configuration for vlock.
svn path=/nixos/trunk/; revision=34436
2012-06-11 07:12:39 +00:00
Peter Simons
4c54fcaf45 pam security for i3lock
svn path=/nixos/trunk/; revision=34435
2012-06-11 07:10:25 +00:00
Eelco Dolstra
801cd7402c * Don't use ‘chown user.group’ since that syntax is not officially
supported (you're supposed to say ‘chown user:group’).

svn path=/nixos/trunk/; revision=34161
2012-05-17 19:43:32 +00:00
Florian Friesdorf
5115e6a1d0 keep NIX_PATH in sudo env
fixes:
file `nixpkgs' was not found in the Nix search path (add it using $NIX_PATH or -I)

svn path=/nixos/trunk/; revision=32973
2012-03-10 16:11:40 +00:00
Eelco Dolstra
a6f410f144 * Obsolete security.extraSetuidPrograms.
svn path=/nixos/trunk/; revision=32723
2012-03-01 20:10:46 +00:00
Florian Friesdorf
0862ca9fa7 sudoers: LOCALE_ARCHIVE, TERMINFO_DIRS for root and %wheel
svn path=/nixos/trunk/; revision=31491
2012-01-12 07:54:14 +00:00
Peter Simons
20b364f4de Reverting revisions 30103-30106: "always set nixpkgs.config.{state,store}Dir", etc.
After the change from revision 30103, nixos-rebuild suddenly consumed
freaky amounts of memory. I had to abort the process after it had
allocated well in excess of 30GB(!) of RAM. I'm not sure what is causing
this behavior, but undoing that assignment fixes the problem. The other
two commits needed to be revoked, too, because they depend on 30103.

svn path=/nixos/trunk/; revision=30127
2011-10-30 15:19:58 +00:00
Shea Levy
09cf6ce70c find modules | fgrep .nix | fgrep -v .svn | fgrep -v nixpkgs.nix | xargs sed -i -e 's|/nix/var|${config.nixpkgs.config.nix.stateDir}|g' -e 's|/nix/store|${config.nixpkgs.config.nix.storeDir}|g'
Don't assume /nix/store or /nix/var in NixOS modules, this is configurable

svn path=/nixos/trunk/; revision=30104
2011-10-29 21:03:57 +00:00
Peter Simons
eb6e1310b8 strip trailing whitespace; no functional change
svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
Eelco Dolstra
64340dc03c * Set OPENSSL_X509_CERT_FILE.
svn path=/nixos/trunk/; revision=29225
2011-09-12 17:01:43 +00:00
Eelco Dolstra
d1ae2c2ac1 * Polkit: remove the wrapper since it's no longer needed (and didn't
really work as far as I can tell).

svn path=/nixos/trunk/; revision=28734
2011-08-22 11:46:32 +00:00
Eelco Dolstra
7980c71d9c * Add some options to allow setting PolKit permissions.
svn path=/nixos/trunk/; revision=28729
2011-08-21 20:38:45 +00:00
Eelco Dolstra
44725e50f0 * Apply the resource limits set by security.pam.loginLimits to all PAM
services (rather than just login(1)).  It's rather unexpected if
  resource limits are not applied to (say) users logged in via SSH or
  X11.

svn path=/nixos/trunk/; revision=28105
2011-08-01 10:17:18 +00:00
Eelco Dolstra
7d69a82b55 * Put the CA certificate bundle in /etc/ssl/certs because Qt expects
them there.

svn path=/nixos/trunk/; revision=28009
2011-07-29 19:06:27 +00:00
Eelco Dolstra
aa5f5ed2e5 * I should test first.
svn path=/nixos/trunk/; revision=27964
2011-07-26 14:19:06 +00:00
Eelco Dolstra
645205b600 * Add a module for rtkit. The PulseAudio module enables rtkit to
acquire real-time priority.

svn path=/nixos/trunk/; revision=27963
2011-07-26 14:14:10 +00:00