diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-01-29 00:02:49 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-29 00:02:49 +0000 |
| commit | 1a9dbf110bbc02a3fc2f26183d22ac6646263c42 (patch) | |
| tree | 30009e842c90d420210a22c28848915afb028c37 /nixos | |
| parent | 6f58919d162d6ca87d7616a73d9f19cc971269d4 (diff) | |
| parent | 5dc9994ad0a518050b0a313d9be1688fa7487217 (diff) | |
| download | nixlib-1a9dbf110bbc02a3fc2f26183d22ac6646263c42.tar nixlib-1a9dbf110bbc02a3fc2f26183d22ac6646263c42.tar.gz nixlib-1a9dbf110bbc02a3fc2f26183d22ac6646263c42.tar.bz2 nixlib-1a9dbf110bbc02a3fc2f26183d22ac6646263c42.tar.lz nixlib-1a9dbf110bbc02a3fc2f26183d22ac6646263c42.tar.xz nixlib-1a9dbf110bbc02a3fc2f26183d22ac6646263c42.tar.zst nixlib-1a9dbf110bbc02a3fc2f26183d22ac6646263c42.zip | |
Merge staging-next into staging
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 9 | ||||
| -rw-r--r-- | nixos/modules/services/security/bitwarden-directory-connector-cli.nix | 64 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/zope2.nix | 2 |
3 files changed, 39 insertions, 36 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 74dc2cb1b9aa..b85a2ac7e69d 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -39,14 +39,17 @@ with lib; security.apparmor.killUnconfinedConfinables = mkDefault true; boot.kernelParams = [ - # Slab/slub sanity checks, redzoning, and poisoning - "slub_debug=FZP" + # Don't merge slabs + "slab_nomerge" - # Overwrite free'd memory + # Overwrite free'd pages "page_poison=1" # Enable page allocator randomization "page_alloc.shuffle=1" + + # Disable debugfs + "debugfs=off" ]; boot.blacklistedKernelModules = [ diff --git a/nixos/modules/services/security/bitwarden-directory-connector-cli.nix b/nixos/modules/services/security/bitwarden-directory-connector-cli.nix index 18c02e22fd7e..a55758322a75 100644 --- a/nixos/modules/services/security/bitwarden-directory-connector-cli.nix +++ b/nixos/modules/services/security/bitwarden-directory-connector-cli.nix @@ -277,42 +277,42 @@ in { BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true"; }; + preStart = '' + set -eo pipefail + + # create the config file + ${lib.getExe cfg.package} data-file + touch /tmp/data.json.tmp + chmod 600 /tmp/data.json{,.tmp} + + ${lib.getExe cfg.package} config server ${cfg.domain} + + # now login to set credentials + export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})" + export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})" + ${lib.getExe cfg.package} login + + jq '.authenticatedAccounts[0] as $account + | .[$account].directoryConfigurations.ldap |= $ldap_data + | .[$account].directorySettings.organizationId |= $orgID + | .[$account].directorySettings.sync |= $sync_data' \ + --argjson ldap_data ${escapeShellArg cfg.ldap.finalJSON} \ + --arg orgID "''${BW_CLIENTID//organization.}" \ + --argjson sync_data ${escapeShellArg cfg.sync.finalJSON} \ + /tmp/data.json \ + > /tmp/data.json.tmp + + mv -f /tmp/data.json.tmp /tmp/data.json + + # final config + ${lib.getExe cfg.package} config directory 0 + ${lib.getExe cfg.package} config ldap.password --secretfile ${cfg.secrets.ldap} + ''; + serviceConfig = { Type = "oneshot"; User = "${cfg.user}"; PrivateTmp = true; - preStart = '' - set -eo pipefail - - # create the config file - ${lib.getExe cfg.package} data-file - touch /tmp/data.json.tmp - chmod 600 /tmp/data.json{,.tmp} - - ${lib.getExe cfg.package} config server ${cfg.domain} - - # now login to set credentials - export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})" - export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})" - ${lib.getExe cfg.package} login - - jq '.authenticatedAccounts[0] as $account - | .[$account].directoryConfigurations.ldap |= $ldap_data - | .[$account].directorySettings.organizationId |= $orgID - | .[$account].directorySettings.sync |= $sync_data' \ - --argjson ldap_data ${escapeShellArg cfg.ldap.finalJSON} \ - --arg orgID "''${BW_CLIENTID//organization.}" \ - --argjson sync_data ${escapeShellArg cfg.sync.finalJSON} \ - /tmp/data.json \ - > /tmp/data.json.tmp - - mv -f /tmp/data.json.tmp /tmp/data.json - - # final config - ${lib.getExe cfg.package} config directory 0 - ${lib.getExe cfg.package} config ldap.password --secretfile ${cfg.secrets.ldap} - ''; - ExecStart = "${lib.getExe cfg.package} sync"; }; }; diff --git a/nixos/modules/services/web-servers/zope2.nix b/nixos/modules/services/web-servers/zope2.nix index a17fe6bc2082..29731b29eea4 100644 --- a/nixos/modules/services/web-servers/zope2.nix +++ b/nixos/modules/services/web-servers/zope2.nix @@ -147,7 +147,7 @@ in name = "zope2-${name}-env"; paths = [ pkgs.python27 - pkgs.python27Packages.recursivePthLoader + pkgs.python27Packages.recursive-pth-loader pkgs.python27Packages."plone.recipe.zope2instance" ] ++ attrValues pkgs.python27.modules ++ opts.packages; |