diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/security')
18 files changed, 123 insertions, 103 deletions
diff --git a/nixpkgs/nixos/modules/services/security/authelia.nix b/nixpkgs/nixos/modules/services/security/authelia.nix index cc55260e20f8..614b3b1e22b2 100644 --- a/nixpkgs/nixos/modules/services/security/authelia.nix +++ b/nixpkgs/nixos/modules/services/security/authelia.nix @@ -24,12 +24,7 @@ let ''; }; - package = mkOption { - default = pkgs.authelia; - type = types.package; - defaultText = literalExpression "pkgs.authelia"; - description = mdDoc "Authelia derivation to use."; - }; + package = mkPackageOption pkgs "authelia" { }; user = mkOption { default = "authelia-${name}"; diff --git a/nixpkgs/nixos/modules/services/security/certmgr.nix b/nixpkgs/nixos/modules/services/security/certmgr.nix index ca4cf5084722..db80e943973d 100644 --- a/nixpkgs/nixos/modules/services/security/certmgr.nix +++ b/nixpkgs/nixos/modules/services/security/certmgr.nix @@ -37,12 +37,7 @@ in options.services.certmgr = { enable = mkEnableOption (lib.mdDoc "certmgr"); - package = mkOption { - type = types.package; - default = pkgs.certmgr; - defaultText = literalExpression "pkgs.certmgr"; - description = lib.mdDoc "Which certmgr package to use in the service."; - }; + package = mkPackageOption pkgs "certmgr" { }; defaultRemote = mkOption { type = types.str; diff --git a/nixpkgs/nixos/modules/services/security/clamav.nix b/nixpkgs/nixos/modules/services/security/clamav.nix index 34897a9ac7db..72a195d3a04e 100644 --- a/nixpkgs/nixos/modules/services/security/clamav.nix +++ b/nixpkgs/nixos/modules/services/security/clamav.nix @@ -15,6 +15,9 @@ let clamdConfigFile = pkgs.writeText "clamd.conf" (toKeyValue cfg.daemon.settings); freshclamConfigFile = pkgs.writeText "freshclam.conf" (toKeyValue cfg.updater.settings); + fangfrischConfigFile = pkgs.writeText "fangfrisch.conf" '' + ${lib.generators.toINI {} cfg.fangfrisch.settings} + ''; in { imports = [ @@ -66,6 +69,36 @@ in ''; }; }; + fangfrisch = { + enable = mkEnableOption (lib.mdDoc "ClamAV fangfrisch updater"); + + interval = mkOption { + type = types.str; + default = "hourly"; + description = lib.mdDoc '' + How often freshclam is invoked. See systemd.time(7) for more + information about the format. + ''; + }; + + settings = mkOption { + type = lib.types.submodule { + freeformType = with types; attrsOf (attrsOf (oneOf [ str int bool ])); + }; + default = { }; + example = { + securiteinfo = { + enabled = "yes"; + customer_id = "your customer_id"; + }; + }; + description = lib.mdDoc '' + fangfrisch configuration. Refer to <https://rseichter.github.io/fangfrisch/#_configuration>, + for details on supported values. + Note that by default urlhaus and sanesecurity are enabled. + ''; + }; + }; }; }; @@ -98,23 +131,32 @@ in DatabaseMirror = [ "database.clamav.net" ]; }; + services.clamav.fangfrisch.settings = { + DEFAULT.db_url = mkDefault "sqlite:////var/lib/clamav/fangfrisch_db.sqlite"; + DEFAULT.local_directory = mkDefault stateDir; + DEFAULT.log_level = mkDefault "INFO"; + urlhaus.enabled = mkDefault "yes"; + urlhaus.max_size = mkDefault "2MB"; + sanesecurity.enabled = mkDefault "yes"; + }; + environment.etc."clamav/freshclam.conf".source = freshclamConfigFile; environment.etc."clamav/clamd.conf".source = clamdConfigFile; systemd.services.clamav-daemon = mkIf cfg.daemon.enable { description = "ClamAV daemon (clamd)"; - after = optional cfg.updater.enable "clamav-freshclam.service"; + after = optionals cfg.updater.enable [ "clamav-freshclam.service" ]; + wants = optionals cfg.updater.enable [ "clamav-freshclam.service" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ clamdConfigFile ]; - preStart = '' - mkdir -m 0755 -p ${runDir} - chown ${clamavUser}:${clamavGroup} ${runDir} - ''; - serviceConfig = { ExecStart = "${pkg}/bin/clamd"; ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; + User = clamavUser; + Group = clamavGroup; + StateDirectory = "clamav"; + RuntimeDirectory = "clamav"; PrivateTmp = "yes"; PrivateDevices = "yes"; PrivateNetwork = "yes"; @@ -134,15 +176,63 @@ in description = "ClamAV virus database updater (freshclam)"; restartTriggers = [ freshclamConfigFile ]; after = [ "network-online.target" ]; - preStart = '' - mkdir -m 0755 -p ${stateDir} - chown ${clamavUser}:${clamavGroup} ${stateDir} - ''; serviceConfig = { Type = "oneshot"; ExecStart = "${pkg}/bin/freshclam"; SuccessExitStatus = "1"; # if databases are up to date + StateDirectory = "clamav"; + RuntimeDirectory = "clamav"; + User = clamavUser; + Group = clamavGroup; + PrivateTmp = "yes"; + PrivateDevices = "yes"; + }; + }; + + systemd.services.clamav-fangfrisch-init = mkIf cfg.fangfrisch.enable { + wantedBy = [ "multi-user.target" ]; + # if the sqlite file can be found assume the database has already been initialised + script = '' + db_url="${cfg.fangfrisch.settings.DEFAULT.db_url}" + db_path="''${db_url#sqlite:///}" + + if [ ! -f "$db_path" ]; then + ${pkgs.fangfrisch}/bin/fangfrisch --conf ${fangfrischConfigFile} initdb + fi + ''; + serviceConfig = { + Type = "oneshot"; + StateDirectory = "clamav"; + RuntimeDirectory = "clamav"; + User = clamavUser; + Group = clamavGroup; + PrivateTmp = "yes"; + PrivateDevices = "yes"; + }; + }; + + systemd.timers.clamav-fangfrisch = mkIf cfg.fangfrisch.enable { + description = "Timer for ClamAV virus database updater (fangfrisch)"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = cfg.fangfrisch.interval; + Unit = "clamav-fangfrisch.service"; + }; + }; + + systemd.services.clamav-fangfrisch = mkIf cfg.fangfrisch.enable { + description = "ClamAV virus database updater (fangfrisch)"; + restartTriggers = [ fangfrischConfigFile ]; + after = [ "network-online.target" "clamav-fangfrisch-init.service" ]; + + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.fangfrisch}/bin/fangfrisch --conf ${fangfrischConfigFile} refresh"; + StateDirectory = "clamav"; + RuntimeDirectory = "clamav"; + User = clamavUser; + Group = clamavGroup; PrivateTmp = "yes"; PrivateDevices = "yes"; }; diff --git a/nixpkgs/nixos/modules/services/security/esdm.nix b/nixpkgs/nixos/modules/services/security/esdm.nix index 2b246fff7e96..134b4be1a94c 100644 --- a/nixpkgs/nixos/modules/services/security/esdm.nix +++ b/nixpkgs/nixos/modules/services/security/esdm.nix @@ -6,7 +6,7 @@ in { options.services.esdm = { enable = lib.mkEnableOption (lib.mdDoc "ESDM service configuration"); - package = lib.mkPackageOptionMD pkgs "esdm" { }; + package = lib.mkPackageOption pkgs "esdm" { }; serverEnable = lib.mkOption { type = lib.types.bool; default = true; diff --git a/nixpkgs/nixos/modules/services/security/fail2ban.nix b/nixpkgs/nixos/modules/services/security/fail2ban.nix index 235f29ab8a6a..59b9ea70209d 100644 --- a/nixpkgs/nixos/modules/services/security/fail2ban.nix +++ b/nixpkgs/nixos/modules/services/security/fail2ban.nix @@ -77,12 +77,8 @@ in ''; }; - package = mkOption { - default = pkgs.fail2ban; - defaultText = literalExpression "pkgs.fail2ban"; - type = types.package; - example = literalExpression "pkgs.fail2ban_0_11"; - description = lib.mdDoc "The fail2ban package to use for running the fail2ban service."; + package = mkPackageOption pkgs "fail2ban" { + example = "fail2ban_0_11"; }; packageFirewall = mkOption { @@ -128,8 +124,8 @@ in }; banaction-allports = mkOption { - default = if config.networking.nftables.enable then "nftables-allport" else "iptables-allport"; - defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-allport" else "iptables-allport"''; + default = if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"; + defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"''; type = types.str; description = lib.mdDoc '' Default banning action (e.g. iptables, iptables-new, iptables-multiport, diff --git a/nixpkgs/nixos/modules/services/security/haka.nix b/nixpkgs/nixos/modules/services/security/haka.nix index c93638f44d60..dda039857401 100644 --- a/nixpkgs/nixos/modules/services/security/haka.nix +++ b/nixpkgs/nixos/modules/services/security/haka.nix @@ -57,14 +57,7 @@ in enable = mkEnableOption (lib.mdDoc "Haka"); - package = mkOption { - default = pkgs.haka; - defaultText = literalExpression "pkgs.haka"; - type = types.package; - description = lib.mdDoc '' - Which Haka derivation to use. - ''; - }; + package = mkPackageOption pkgs "haka" { }; configFile = mkOption { default = "empty.lua"; diff --git a/nixpkgs/nixos/modules/services/security/jitterentropy-rngd.nix b/nixpkgs/nixos/modules/services/security/jitterentropy-rngd.nix index 7bfacb5ddc5d..289d2f7a9839 100644 --- a/nixpkgs/nixos/modules/services/security/jitterentropy-rngd.nix +++ b/nixpkgs/nixos/modules/services/security/jitterentropy-rngd.nix @@ -6,7 +6,7 @@ in options.services.jitterentropy-rngd = { enable = lib.mkEnableOption (lib.mdDoc "jitterentropy-rngd service configuration"); - package = lib.mkPackageOptionMD pkgs "jitterentropy-rngd" { }; + package = lib.mkPackageOption pkgs "jitterentropy-rngd" { }; }; config = lib.mkIf cfg.enable { diff --git a/nixpkgs/nixos/modules/services/security/kanidm.nix b/nixpkgs/nixos/modules/services/security/kanidm.nix index 6f4d1dc382ab..c8d8f69729e9 100644 --- a/nixpkgs/nixos/modules/services/security/kanidm.nix +++ b/nixpkgs/nixos/modules/services/security/kanidm.nix @@ -69,7 +69,7 @@ in enableServer = lib.mkEnableOption (lib.mdDoc "the Kanidm server"); enablePam = lib.mkEnableOption (lib.mdDoc "the Kanidm PAM and NSS integration"); - package = lib.mkPackageOptionMD pkgs "kanidm" {}; + package = lib.mkPackageOption pkgs "kanidm" {}; serverSettings = lib.mkOption { type = lib.types.submodule { diff --git a/nixpkgs/nixos/modules/services/security/nginx-sso.nix b/nixpkgs/nixos/modules/services/security/nginx-sso.nix index 971f22ed3476..dd32b8356cbb 100644 --- a/nixpkgs/nixos/modules/services/security/nginx-sso.nix +++ b/nixpkgs/nixos/modules/services/security/nginx-sso.nix @@ -10,14 +10,7 @@ in { options.services.nginx.sso = { enable = mkEnableOption (lib.mdDoc "nginx-sso service"); - package = mkOption { - type = types.package; - default = pkgs.nginx-sso; - defaultText = literalExpression "pkgs.nginx-sso"; - description = lib.mdDoc '' - The nginx-sso package that should be used. - ''; - }; + package = mkPackageOption pkgs "nginx-sso" { }; configuration = mkOption { type = types.attrsOf types.unspecified; diff --git a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix index 718c3d2498ea..78916c907279 100644 --- a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix @@ -87,14 +87,7 @@ in options.services.oauth2_proxy = { enable = mkEnableOption (lib.mdDoc "oauth2_proxy"); - package = mkOption { - type = types.package; - default = pkgs.oauth2-proxy; - defaultText = literalExpression "pkgs.oauth2-proxy"; - description = lib.mdDoc '' - The package that provides oauth2-proxy. - ''; - }; + package = mkPackageOption pkgs "oauth2-proxy" { }; ############################################## # PROVIDER configuration diff --git a/nixpkgs/nixos/modules/services/security/pass-secret-service.nix b/nixpkgs/nixos/modules/services/security/pass-secret-service.nix index c3c70d97ff59..f864f8a26595 100644 --- a/nixpkgs/nixos/modules/services/security/pass-secret-service.nix +++ b/nixpkgs/nixos/modules/services/security/pass-secret-service.nix @@ -9,12 +9,8 @@ in options.services.passSecretService = { enable = mkEnableOption (lib.mdDoc "pass secret service"); - package = mkOption { - type = types.package; - default = pkgs.pass-secret-service; - defaultText = literalExpression "pkgs.pass-secret-service"; - description = lib.mdDoc "Which pass-secret-service package to use."; - example = literalExpression "pkgs.pass-secret-service.override { python3 = pkgs.python310 }"; + package = mkPackageOption pkgs "pass-secret-service" { + example = "pass-secret-service.override { python3 = pkgs.python310 }"; }; }; diff --git a/nixpkgs/nixos/modules/services/security/sks.nix b/nixpkgs/nixos/modules/services/security/sks.nix index 550b61916a22..7ac5ecec0d82 100644 --- a/nixpkgs/nixos/modules/services/security/sks.nix +++ b/nixpkgs/nixos/modules/services/security/sks.nix @@ -21,12 +21,7 @@ in { server. You need to create "''${dataDir}/dump/*.gpg" for the initial import''); - package = mkOption { - default = pkgs.sks; - defaultText = literalExpression "pkgs.sks"; - type = types.package; - description = lib.mdDoc "Which SKS derivation to use."; - }; + package = mkPackageOption pkgs "sks" { }; dataDir = mkOption { type = types.path; diff --git a/nixpkgs/nixos/modules/services/security/tor.nix b/nixpkgs/nixos/modules/services/security/tor.nix index 9e786eb2bf06..4ff941251c99 100644 --- a/nixpkgs/nixos/modules/services/security/tor.nix +++ b/nixpkgs/nixos/modules/services/security/tor.nix @@ -230,12 +230,7 @@ in openFirewall = mkEnableOption (lib.mdDoc "opening of the relay port(s) in the firewall"); - package = mkOption { - type = types.package; - default = pkgs.tor; - defaultText = literalExpression "pkgs.tor"; - description = lib.mdDoc "Tor package to use."; - }; + package = mkPackageOption pkgs "tor" { }; enableGeoIP = mkEnableOption (lib.mdDoc ''use of GeoIP databases. Disabling this will disable by-country statistics for bridges and relays diff --git a/nixpkgs/nixos/modules/services/security/usbguard.nix b/nixpkgs/nixos/modules/services/security/usbguard.nix index 071e69975143..f167fbb2eca8 100644 --- a/nixpkgs/nixos/modules/services/security/usbguard.nix +++ b/nixpkgs/nixos/modules/services/security/usbguard.nix @@ -39,13 +39,9 @@ in services.usbguard = { enable = mkEnableOption (lib.mdDoc "USBGuard daemon"); - package = mkOption { - type = types.package; - default = pkgs.usbguard; - defaultText = literalExpression "pkgs.usbguard"; - description = lib.mdDoc '' - The usbguard package to use. If you do not need the Qt GUI, use - `pkgs.usbguard-nox` to save disk space. + package = mkPackageOption pkgs "usbguard" { + extraDescription = '' + If you do not need the Qt GUI, use `pkgs.usbguard-nox` to save disk space. ''; }; diff --git a/nixpkgs/nixos/modules/services/security/vault-agent.nix b/nixpkgs/nixos/modules/services/security/vault-agent.nix index 17b8ff83592e..f8c281442f5f 100644 --- a/nixpkgs/nixos/modules/services/security/vault-agent.nix +++ b/nixpkgs/nixos/modules/services/security/vault-agent.nix @@ -14,7 +14,7 @@ let options = { enable = mkEnableOption (mdDoc "this ${flavour} instance") // { default = true; }; - package = mkPackageOptionMD pkgs pkgName { }; + package = mkPackageOption pkgs pkgName { }; user = mkOption { type = types.str; diff --git a/nixpkgs/nixos/modules/services/security/vault.nix b/nixpkgs/nixos/modules/services/security/vault.nix index 18d981cdb0d2..31782073968f 100644 --- a/nixpkgs/nixos/modules/services/security/vault.nix +++ b/nixpkgs/nixos/modules/services/security/vault.nix @@ -45,12 +45,7 @@ in services.vault = { enable = mkEnableOption (lib.mdDoc "Vault daemon"); - package = mkOption { - type = types.package; - default = pkgs.vault; - defaultText = literalExpression "pkgs.vault"; - description = lib.mdDoc "This option specifies the vault package to use."; - }; + package = mkPackageOption pkgs "vault" { }; dev = mkOption { type = types.bool; diff --git a/nixpkgs/nixos/modules/services/security/vaultwarden/default.nix b/nixpkgs/nixos/modules/services/security/vaultwarden/default.nix index 0517615a4c6a..14bbfa95a9ca 100644 --- a/nixpkgs/nixos/modules/services/security/vaultwarden/default.nix +++ b/nixpkgs/nixos/modules/services/security/vaultwarden/default.nix @@ -156,12 +156,7 @@ in { ''; }; - package = mkOption { - type = package; - default = pkgs.vaultwarden; - defaultText = literalExpression "pkgs.vaultwarden"; - description = lib.mdDoc "Vaultwarden package to use."; - }; + package = mkPackageOption pkgs "vaultwarden" { }; webVaultPackage = mkOption { type = package; diff --git a/nixpkgs/nixos/modules/services/security/yubikey-agent.nix b/nixpkgs/nixos/modules/services/security/yubikey-agent.nix index ee57ec8bf812..a9f15e4405f2 100644 --- a/nixpkgs/nixos/modules/services/security/yubikey-agent.nix +++ b/nixpkgs/nixos/modules/services/security/yubikey-agent.nix @@ -30,14 +30,7 @@ in ''; }; - package = mkOption { - type = types.package; - default = pkgs.yubikey-agent; - defaultText = literalExpression "pkgs.yubikey-agent"; - description = lib.mdDoc '' - The package used for the yubikey-agent daemon. - ''; - }; + package = mkPackageOption pkgs "yubikey-agent" { }; }; }; |