Commit graph

16887 commits

Author SHA1 Message Date
Martin Weinelt
d67fc76603
Merge pull request #120536 from mweinelt/mosquitto 2021-05-03 00:41:21 +02:00
Martin Weinelt
f41349d30d
nixos/home-assistant: Restart systemd unit on restart service
Home-assistant through its `--runner` commandline flag supports sending
exit code 100 when the `homeassistant.restart` service is called.

With `RestartForceExitStatus` we can listen for that specific exit code
and restart the whole systemd unit, providing an actual clean restart
with fresh processes. Additional treat exit code 100 as a successful
termination.
2021-05-03 00:21:25 +02:00
Martin Weinelt
7d09d7f571
nixos/home-assistant: harden systemd service
This is what is still exposed, and it should still allow things to work
as usual.

✗ PrivateNetwork=                    Service has access to the host's …      0.5
✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc…      0.3
✗ DeviceAllow=                       Service has a device ACL with som…      0.1
✗ IPAddressDeny=                     Service does not define an IP add…      0.2
✗ PrivateDevices=                    Service potentially has access to…      0.2
✗ PrivateUsers=                      Service has access to other users       0.2
✗ SystemCallFilter=~@resources       System call allow list defined fo…      0.2
✗ RootDirectory=/RootImage=          Service runs within the host's ro…      0.1
✗ SupplementaryGroups=               Service runs with supplementary g…      0.1
✗ RestrictAddressFamilies=~AF_UNIX   Service may allocate local sockets      0.1

→ Overall exposure level for home-assistant.service: 1.6 OK :-)

This can grow to as much as ~1.9 if you use one of the bluetooth or nmap
trackers or the emulated_hue component, all of which required elevated
permisssions.
2021-05-03 00:21:24 +02:00
Maximilian Bosch
040f0acccd
Merge pull request #121299 from Ma27/gitea-umask
nixos/gitea: set umask for secret creation
2021-05-02 00:06:20 +02:00
Luke Granger-Brown
152fa5414c
Merge pull request #120209 from considerate/considerate/multiple-tags-buildkite-agents
services.buildkite-agents: support multi-tags
2021-05-01 19:07:56 +01:00
Martin Weinelt
a2d1d16af8
nixos/mosquitto: Migrate away from bind_address/port config keys
Fixes these two deprecation warnings, by moving away from these options
towards a simple listener configuration.

> The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true.
> The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead.

Fixes: #120860
2021-05-01 19:46:48 +02:00
Martin Weinelt
33e867620e
nixos/mosquitto: harden systemd unit
It can still network, it can only access the ssl related files if ssl is
enabled.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                  0.1

→ Overall exposure level for mosquitto.service: 1.1 OK 🙂
2021-05-01 19:46:48 +02:00
Jan Tojnar
1733bade1a
Merge pull request #121226 from zhaofengli/librem-take2
phosh: init at 0.10.2
2021-05-01 18:41:50 +02:00
Luke Granger-Brown
be598f3980
Merge pull request #120541 from pennae/fail2ban
nixos/fail2ban: add maxretry/extraPackages options
2021-05-01 15:09:24 +01:00
Sandro
ac72d9acfe
Merge pull request #91955 from c00w/expand
sd-image: Add option to control sd image expansion on boot.
2021-05-01 14:52:07 +02:00
Luke Granger-Brown
d76b075e3c
Merge pull request #121246 from thblt/master
nixos/pcscd: ensure polkit rules are loaded (fix #121121)
2021-05-01 13:30:45 +01:00
Zhaofeng Li
31a32eeed3 nixos/phosh: init
Co-authored-by: Blaž Hrastnik <blaz@mxxn.io>
Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
Co-authored-by: Jordi Masip <jordi@masip.cat>
2021-05-01 06:55:02 +00:00
Zhaofeng Li
3086335f04 nixos/feedbackd: init 2021-05-01 06:52:35 +00:00
lewo
85aef7706e
Merge pull request #120620 from mweinelt/empty-capability-bounding-sets
nixos/{opendkim,rspamd}: Fix CapabilityBoundingSet option
2021-05-01 08:17:19 +02:00
Colin L Rice
bef4bda8dd sd-image: Add option to control sd image expansion on boot.
This is supeer useful to allow the normal sd-image code to be used by
someone who wants to setup multiple partitions with a sd-image.

Currently I'm manually copying the sd-image file and modifying it
instead.
2021-04-30 22:12:07 -04:00
Martin Weinelt
326f86d8cd
Merge pull request #121222 from mweinelt/nginx
nixos/nginx: update hardening settings
2021-05-01 00:36:16 +02:00
Martin Weinelt
efb30a191e
Merge pull request #120529 from mweinelt/zigbee2mqtt 2021-04-30 21:59:22 +02:00
Maximilian Bosch
02c3bd2187
nixos/gitea: set umask for secret creation
This ensures that newly created secrets will have the permissions
`0640`. With this change it's ensured that no sensitive information will
be word-readable at any time.

Related to #121293.

Strictly speaking this is a breaking change since each new directory
(including data-files) aren't world-readable anymore, but actually these
shouldn't be, unless there's a good reason for it.
2021-04-30 21:39:11 +02:00
Florian Klink
44a0debca7
Merge pull request #121021 from pennae/container-sigterm
nixos/nix-containers: use SIGTERM to stop containers
2021-04-30 21:35:16 +02:00
lunik1
248a57d61a
nixos/adguardhome: init (#120568) 2021-04-30 20:55:31 +02:00
Martin Weinelt
62de527dc3
nixos/zigbee2mqtt: start maintaing the module 2021-04-30 20:40:04 +02:00
Martin Weinelt
2b61d9ea01
nixos/zigbee2mqtt: create migration path from config to settings 2021-04-30 20:39:21 +02:00
Martin Weinelt
a691549f7e
nixos/zigbee2mqtt: harden systemd unit
This is what is still exposed, and it allows me to control my lamps from
within home-assistant.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                  0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                              0.1
✗ MemoryDenyWriteExecute=                                     Service may create writable executable memory mappings                              0.1

→ Overall exposure level for zigbee2mqtt.service: 1.3 OK 🙂
2021-04-30 19:42:26 +02:00
Martin Weinelt
e0f1e1f7bf
nixos/zigbee2mqtt: convert to rfc42 style settings 2021-04-30 19:42:26 +02:00
Martin Weinelt
506bc7ba02
nixos/nginx: update hardening settings
- Set an explicit umask that allows u+rwx and g+r.
- Adds `ProtectControlGroups` and `ProtectKernelLogs`, there should be
  no need to access either.
- Adds `ProtectClock` to prevent write-access to the system clock.
- `ProtectProc` hides processes from other users within the /proc
  filesystem and `ProcSubSet` hides all files/directories unrelated to
  the process management of the units process.
- Sets `RemoveIPC`, as there is no SysV or POSIX IPC within nginx that I
  know of.
- Restricts the creation of arbitrary namespaces
- Adds a reasonable `SystemCallFilter` preventing calls to @privileged,
  @obsolete and others.

And finally applies some sorting based on the order these options appear
in systemd.exec(5).
2021-04-30 18:49:43 +02:00
Kim Lindberger
fdd6ca8fce
Merge pull request #118898 from talyz/gitlab-memory-bloat
nixos/gitlab: Add options to tame GitLab's memory usage somewhat
2021-04-30 16:58:30 +02:00
Sandro
a73342b7ce
Merge pull request #120637 from andreisergiu98/ombi-update 2021-04-30 12:57:15 +02:00
Thibault Polge
71d9291742
nixos/pcscd: Correctly install pcsclite (fix #121121)
This makes sure that the polkit policies for pcsclite are correcly loaded.
2021-04-30 10:33:03 +02:00
Peter Hoeg
82c31a83b8 nixos/module: example referenced old ffmpeg 2021-04-30 09:43:18 +08:00
Lassulus
addfd88117
Merge pull request #117072 from em0lar/keycloak-module-dbuser
nixos/keycloak: use db username in db init scripts
2021-04-29 20:15:19 +02:00
Leo Maroni
d9e18f4e7f
nixos/keycloak: use db username in db init scripts 2021-04-29 19:36:29 +02:00
Kim Lindberger
abecdfea73
Merge pull request #120833 from talyz/pipewire-0.3.26
pipewire: 0.3.25 -> 0.3.26
2021-04-29 18:46:35 +02:00
Florian Klink
7f9a5ad257
cage: drop maintainership (#121174)
I cannot currently maintain this, as I don't have access to the hardware
running it anymore.
2021-04-29 18:07:13 +02:00
WilliButz
674cea17a7
Merge pull request #120492 from SuperSandro2000/prometheus-unbound-exporter
Prometheus unbound exporter
2021-04-29 10:54:22 +02:00
Vladimír Čunát
5b0871bd97
Merge #120493: nixos/kresd: allow package to be configured 2021-04-29 10:41:12 +02:00
Andrei Pampu
e88bf5f13b
nixos/ombi: set ombi as system user 2021-04-29 10:52:02 +03:00
Sandro Jäckel
ba13dc0652
nixos/prometheus: add unbound exporter 2021-04-29 06:19:29 +02:00
Peter Hoeg
6d23cfd56b nixos/pcscd: fix #121088 2021-04-29 10:10:18 +08:00
Peter Hoeg
ce93de4f62 nixos/hyperv: bail gracefully if device is missing 2021-04-29 09:37:17 +08:00
Martin Weinelt
de5a69c918
nixos/promtail: Set TimeoutStopSec=10
On reboots and shutdowns promtail blocks for at least 90 seconds,
because it would still try to deliver log messages for loki, which isn't
possible when the network has already gone down.

Upstreams example unit also uses a ten seconds timeout, something which
has worked pretty well for me as well.
2021-04-28 21:02:11 +02:00
pennae
82931ea446 nixos/nix-containers: use SIGTERM to stop containers
systemd-nspawn can react to SIGTERM and send a shutdown signal to the container
init process. use that instead of going through dbus and machined to request
nspawn sending the signal, since during host shutdown machined or dbus may have
gone away by the point a container unit is stopped.

to solve the issue that a container that is still starting cannot be stopped
cleanly we must also handle this signal in containerInit/stage-2.
2021-04-28 14:07:35 +02:00
Aaron Andersen
45eb9c21ee
Merge pull request #119672 from chessai/init-duckling-service
init duckling service
2021-04-27 20:58:28 -04:00
Izorkin
8723d226b4 nixos/mastodon: update SystemCallFilters 2021-04-28 00:44:25 +02:00
Vladimír Čunát
a4749b11d4
nixos/kresd.package: improve the generated docs 2021-04-27 21:38:30 +02:00
chessai
e47e2a1b9f init duckling service 2021-04-27 10:41:07 -07:00
talyz
7a67a2d1a8
gitlab: Add patch for db_key_base length bug, fix descriptions
The upstream recommended minimum length for db_key_base is 30 bytes,
which our option descriptions repeated. Recently, however, upstream
has, in many places, moved to using aes-256-gcm, which requires a key
of exactly 32 bytes. To allow for shorter keys, the upstream code pads
the key in some places. However, in many others, it just truncates the
key if it's too long, leaving it too short if it was to begin
with. This adds a patch that fixes this and updates the descriptions
to recommend a key of at least 32 characters.

See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
2021-04-27 17:49:43 +02:00
talyz
fb86d324d1
pipewire: Add update script 2021-04-27 16:50:22 +02:00
talyz
24320ba1dd
pipewire: 0.3.25 -> 0.3.26 2021-04-27 12:41:30 +02:00
Robert Schütz
e22d76fe34
Merge pull request #120520 from minijackson/jellyfin-remove-10.5
jellyfin_10_5: remove unmaintained version
2021-04-26 17:16:43 +02:00
Minijackson
2ad8aa72ae
jellyfin_10_5: remove unmaintained version
This version contains a vulnerability[1], and isn't maintained. The
original reason to have two jellyfin versions was to allow end-users to
backup the database before the layout was upgraded, but these backups
should be done periodically.

[1]: <https://nvd.nist.gov/vuln/detail/CVE-2021-21402>
2021-04-26 14:11:29 +02:00