diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2023-10-12 18:01:06 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-10-12 18:01:06 +0000 |
commit | 176015fc743583e30581c23bfda2bf848dd4d67d (patch) | |
tree | 805fdf7c8573cefacc53730a578b7d04621eff0b /nixos | |
parent | f220ef48f81419bf1fd03621b04e9d942b91ef96 (diff) | |
parent | 093f098d2684283c8a0ea9b156a6edbbfff66e02 (diff) | |
download | nixlib-176015fc743583e30581c23bfda2bf848dd4d67d.tar nixlib-176015fc743583e30581c23bfda2bf848dd4d67d.tar.gz nixlib-176015fc743583e30581c23bfda2bf848dd4d67d.tar.bz2 nixlib-176015fc743583e30581c23bfda2bf848dd4d67d.tar.lz nixlib-176015fc743583e30581c23bfda2bf848dd4d67d.tar.xz nixlib-176015fc743583e30581c23bfda2bf848dd4d67d.tar.zst nixlib-176015fc743583e30581c23bfda2bf848dd4d67d.zip |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/programs/bandwhich.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/searx.nix | 33 | ||||
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 35 | ||||
-rw-r--r-- | nixos/tests/wordpress.nix | 2 |
4 files changed, 44 insertions, 28 deletions
diff --git a/nixos/modules/programs/bandwhich.nix b/nixos/modules/programs/bandwhich.nix index 8d1612217ad8..aa6a0dfb6ffd 100644 --- a/nixos/modules/programs/bandwhich.nix +++ b/nixos/modules/programs/bandwhich.nix @@ -24,7 +24,7 @@ in { security.wrappers.bandwhich = { owner = "root"; group = "root"; - capabilities = "cap_net_raw,cap_net_admin+ep"; + capabilities = "cap_sys_ptrace,cap_dac_read_search,cap_net_raw,cap_net_admin+ep"; source = "${pkgs.bandwhich}/bin/bandwhich"; }; }; diff --git a/nixos/modules/services/networking/searx.nix b/nixos/modules/services/networking/searx.nix index 40648c724812..8054f01d705f 100644 --- a/nixos/modules/services/networking/searx.nix +++ b/nixos/modules/services/networking/searx.nix @@ -43,12 +43,8 @@ in [ "services" "searx" "settingsFile" ]) ]; - ###### interface - options = { - services.searx = { - enable = mkOption { type = types.bool; default = false; @@ -149,8 +145,8 @@ in package = mkOption { type = types.package; - default = pkgs.searx; - defaultText = literalExpression "pkgs.searx"; + default = pkgs.searxng; + defaultText = literalExpression "pkgs.searxng"; description = lib.mdDoc "searx package to use."; }; @@ -190,21 +186,7 @@ in }; - - ###### implementation - config = mkIf cfg.enable { - assertions = [ - { - assertion = (cfg.limiterSettings != { }) -> cfg.package.pname == "searxng"; - message = "services.searx.limiterSettings requires services.searx.package to be searxng."; - } - { - assertion = cfg.redisCreateLocally -> cfg.package.pname == "searxng"; - message = "services.searx.redisCreateLocally requires services.searx.package to be searxng."; - } - ]; - environment.systemPackages = [ cfg.package ]; users.users.searx = @@ -245,10 +227,10 @@ in }; }; - systemd.services.uwsgi = mkIf (cfg.runInUwsgi) - { requires = [ "searx-init.service" ]; - after = [ "searx-init.service" ]; - }; + systemd.services.uwsgi = mkIf cfg.runInUwsgi { + requires = [ "searx-init.service" ]; + after = [ "searx-init.service" ]; + }; services.searx.settings = { # merge NixOS settings with defaults settings.yml @@ -256,7 +238,7 @@ in redis.url = lib.mkIf cfg.redisCreateLocally "unix://${config.services.redis.servers.searx.unixSocket}"; }; - services.uwsgi = mkIf (cfg.runInUwsgi) { + services.uwsgi = mkIf cfg.runInUwsgi { enable = true; plugins = [ "python3" ]; @@ -270,6 +252,7 @@ in enable-threads = true; module = "searx.webapp"; env = [ + # TODO: drop this as it is only required for searx "SEARX_SETTINGS_PATH=${cfg.settingsFile}" # searxng compatibility https://github.com/searxng/searxng/issues/1519 "SEARXNG_SETTINGS_PATH=${cfg.settingsFile}" diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 327d19daca30..daa30fe09b89 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -74,6 +74,19 @@ let }; }; + options.openssh.authorizedPrincipals = mkOption { + type = with types; listOf types.singleLineStr; + default = []; + description = mdDoc '' + A list of verbatim principal names that should be added to the user's + authorized principals. + ''; + example = [ + "example@host" + "foo@bar" + ]; + }; + }; authKeysFiles = let @@ -89,6 +102,16 @@ let )); in listToAttrs (map mkAuthKeyFile usersWithKeys); + authPrincipalsFiles = let + mkAuthPrincipalsFile = u: nameValuePair "ssh/authorized_principals.d/${u.name}" { + mode = "0444"; + text = concatStringsSep "\n" u.openssh.authorizedPrincipals; + }; + usersWithPrincipals = attrValues (flip filterAttrs config.users.users (n: u: + length u.openssh.authorizedPrincipals != 0 + )); + in listToAttrs (map mkAuthPrincipalsFile usersWithPrincipals); + in { @@ -285,6 +308,14 @@ in type = types.submodule ({name, ...}: { freeformType = settingsFormat.type; options = { + AuthorizedPrincipalsFile = mkOption { + type = types.str; + default = "none"; # upstream default + description = lib.mdDoc '' + Specifies a file that lists principal names that are accepted for certificate authentication. The default + is `"none"`, i.e. not to use a principals file. + ''; + }; LogLevel = mkOption { type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]; default = "INFO"; # upstream default @@ -444,7 +475,7 @@ in services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server"; - environment.etc = authKeysFiles // + environment.etc = authKeysFiles // authPrincipalsFiles // { "ssh/moduli".source = cfg.moduliFile; "ssh/sshd_config".source = sshconf; }; @@ -541,6 +572,8 @@ in services.openssh.authorizedKeysFiles = [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ]; + services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u"; + services.openssh.extraConfig = mkOrder 0 '' UsePAM yes diff --git a/nixos/tests/wordpress.nix b/nixos/tests/wordpress.nix index 106bbff46c54..937b505af2ac 100644 --- a/nixos/tests/wordpress.nix +++ b/nixos/tests/wordpress.nix @@ -67,7 +67,7 @@ rec { networking.hosts."127.0.0.1" = [ "site1.local" "site2.local" ]; }; }) {} [ - "6_1" "6_2" "6_3" + "6_3" ]; testScript = '' |