summary refs log tree commit diff
path: root/nixos/modules/security
diff options
context:
space:
mode:
authorVladimír Čunát <vcunat@gmail.com>2016-03-14 11:27:15 +0100
committerVladimír Čunát <vcunat@gmail.com>2016-03-14 11:27:15 +0100
commitd6b46ecb30f1a18a4b08ed29f03d2b5a6941aec4 (patch)
treea6b6cc322e9a615bf0e8b49de927d4edfc214554 /nixos/modules/security
parentab8a691d059b364c435a1871ae2ef70a578685d8 (diff)
parent55b6c1792619085dd8aacf46b94e2f33303dd58e (diff)
downloadnixlib-d6b46ecb30f1a18a4b08ed29f03d2b5a6941aec4.tar
nixlib-d6b46ecb30f1a18a4b08ed29f03d2b5a6941aec4.tar.gz
nixlib-d6b46ecb30f1a18a4b08ed29f03d2b5a6941aec4.tar.bz2
nixlib-d6b46ecb30f1a18a4b08ed29f03d2b5a6941aec4.tar.lz
nixlib-d6b46ecb30f1a18a4b08ed29f03d2b5a6941aec4.tar.xz
nixlib-d6b46ecb30f1a18a4b08ed29f03d2b5a6941aec4.tar.zst
nixlib-d6b46ecb30f1a18a4b08ed29f03d2b5a6941aec4.zip
Merge branch 'closure-size' into p/default-outputs
Diffstat (limited to 'nixos/modules/security')
-rw-r--r--nixos/modules/security/acme.nix4


-rw-r--r--nixos/modules/security/apparmor-suid.nix4


-rw-r--r--nixos/modules/security/audit.nix4


-rw-r--r--nixos/modules/security/ca.nix35


-rw-r--r--nixos/modules/security/oath.nix50


-rw-r--r--nixos/modules/security/pam.nix17


6 files changed, 77 insertions, 37 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 15e5b49878f6..c5cd0fb60ee9 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -56,8 +56,8 @@ let
 
       plugins = mkOption {
         type = types.listOf (types.enum [
-          "cert.der" "cert.pem" "chain.der" "chain.pem" "external_pem.sh"
-          "fullchain.der" "fullchain.pem" "key.der" "key.pem" "account_key.json"
+          "cert.der" "cert.pem" "chain.pem" "external.sh"
+          "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json"
         ]);
         default = [ "fullchain.pem" "key.pem" "account_key.json" ];
         description = ''
diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix
index 3da6a81158d0..d766f6badfc7 100644
--- a/nixos/modules/security/apparmor-suid.nix
+++ b/nixos/modules/security/apparmor-suid.nix
@@ -29,8 +29,8 @@ with lib;
         network inet raw,
 
         ${pkgs.glibc.out}/lib/*.so mr,
-        ${pkgs.libcap}/lib/libcap.so* mr,
-        ${pkgs.attr}/lib/libattr.so* mr,
+        ${pkgs.libcap.out}/lib/libcap.so* mr,
+        ${pkgs.attr.out}/lib/libattr.so* mr,
 
         ${pkgs.iputils}/bin/ping mixr,
         /var/setuid-wrappers/ping.real r,
diff --git a/nixos/modules/security/audit.nix b/nixos/modules/security/audit.nix
index 3aa31e079073..f223f52ec487 100644
--- a/nixos/modules/security/audit.nix
+++ b/nixos/modules/security/audit.nix
@@ -93,9 +93,11 @@ in {
 
   config = mkIf (cfg.enable == "lock" || cfg.enable) {
     systemd.services.audit = {
-      description = "pseudo-service representing the kernel audit state";
+      description = "Kernel Auditing";
       wantedBy = [ "basic.target" ];
 
+      unitConfig.ConditionVirtualization = "!container";
+
       path = [ pkgs.audit ];
 
       serviceConfig = {
diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix
index ddfad52d42ed..849530238e7e 100644
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@@ -4,7 +4,7 @@ with lib;
 
 let
 
-  caBundle = pkgs.runCommand "ca-bundle.crt"
+  caCertificates = pkgs.runCommand "ca-certificates.crt"
     { files =
         config.security.pki.certificateFiles ++
         [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ];
@@ -26,7 +26,7 @@ in
       description = ''
         A list of files containing trusted root certificates in PEM
         format. These are concatenated to form
-        <filename>/etc/ssl/certs/ca-bundle.crt</filename>, which is
+        <filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
         used by many programs that use OpenSSL, such as
         <command>curl</command> and <command>git</command>.
       '';
@@ -35,14 +35,17 @@ in
     security.pki.certificates = mkOption {
       type = types.listOf types.str;
       default = [];
-      example = singleton ''
-        NixOS.org
-        =========
-        -----BEGIN CERTIFICATE-----
-        MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
-        TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
-        ...
-        -----END CERTIFICATE-----
+      example = literalExample ''
+        [ '''
+            NixOS.org
+            =========
+            -----BEGIN CERTIFICATE-----
+            MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
+            TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
+            ...
+            -----END CERTIFICATE-----
+          '''
+        ]
       '';
       description = ''
         A list of trusted root certificates in PEM format.
@@ -56,19 +59,13 @@ in
     security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
 
     # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
-    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
+    environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
 
     # Old NixOS compatibility.
-    environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;
+    environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates;
 
     # CentOS/Fedora compatibility.
-    environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
-
-    environment.sessionVariables =
-      { SSL_CERT_FILE          = "/etc/ssl/certs/ca-certificates.crt";
-        # FIXME: unneeded - remove eventually.
-        GIT_SSL_CAINFO         = "/etc/ssl/certs/ca-certificates.crt";
-      };
+    environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
 
   };
 
diff --git a/nixos/modules/security/oath.nix b/nixos/modules/security/oath.nix
new file mode 100644
index 000000000000..20f3e2dd9f83
--- /dev/null
+++ b/nixos/modules/security/oath.nix
@@ -0,0 +1,50 @@
+# This module provides configuration for the OATH PAM modules.
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  options = {
+
+    security.pam.oath = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable the OATH (one-time password) PAM module.
+        '';
+      };
+
+      digits = mkOption {
+        type = types.enum [ 6 7 8 ];
+        default = 6;
+        description = ''
+          Specify the length of the one-time password in number of
+          digits.
+        '';
+      };
+
+      window = mkOption {
+        type = types.int;
+        default = 5;
+        description = ''
+          Specify the number of one-time passwords to check in order
+          to accommodate for situations where the system and the
+          client are slightly out of sync (iteration for HOTP or time
+          steps for TOTP).
+        '';
+      };
+
+      usersFile = mkOption {
+        type = types.path;
+        default = "/etc/users.oath";
+        description = ''
+          Set the path to file where the user's credentials are
+          stored. This file must not be world readable!
+        '';
+      };
+    };
+
+  };
+}
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 2ee8a803d2fe..021c561af759 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -75,7 +75,7 @@ let
       };
 
       oathAuth = mkOption {
-        default = config.security.pam.enableOATH;
+        default = config.security.pam.oath.enable;
         type = types.bool;
         description = ''
           If set, the OATH Toolkit will be used.
@@ -259,8 +259,8 @@ let
               "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
           ${optionalString cfg.otpwAuth
               "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
-          ${optionalString cfg.oathAuth
-              "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}
+          ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
+              "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
           ${optionalString config.users.ldap.enable
               "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
           ${optionalString config.krb5.enable ''
@@ -302,8 +302,6 @@ let
               "session optional ${pam_krb5}/lib/security/pam_krb5.so"}
           ${optionalString cfg.otpwAuth
               "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
-          ${optionalString cfg.oathAuth
-              "session optional ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}
           ${optionalString cfg.startSession
               "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
           ${optionalString cfg.forwardXAuth
@@ -405,13 +403,6 @@ in
       '';
     };
 
-    security.pam.enableOATH = mkOption {
-      default = false;
-      description = ''
-        Enable the OATH (one-time password) PAM module.
-      '';
-    };
-
     security.pam.enableU2F = mkOption {
       default = false;
       description = ''
@@ -446,7 +437,7 @@ in
       ++ optional config.users.ldap.enable pam_ldap
       ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
       ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
-      ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ]
+      ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
       ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
       ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-17 12:09:34 +0000