| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
pamusb.org no longer serves the intended content.
|
| |
|
|
|
|
|
| |
Ensure that modules required by all declared fileSystems are explicitly
loaded. A little ugly but fixes the deferred mount test.
See also https://github.com/NixOS/nixpkgs/issues/29019
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This includes fuse-common (fusePackages.fuse_3.common) as recommended by
upstream. But while fuse(2) and fuse3 would normally depend on
fuse-common we can't do that in nixpkgs while fuse-common is just
another output from the fuse3 multiple-output derivation (i.e. this
would result in a circular dependency). To avoid building fuse3 twice I
decided it would be best to copy the shared files (i.e. the ones
provided by fuse(2) and fuse3) from fuse-common to fuse (version 2) and
avoid collision warnings by defining priorities. Now it should be
possible to install an arbitrary combination of "fuse", "fuse3", and
"fuse-common" without getting any collision warnings. The end result
should be the same and all changes should be backwards compatible
(assuming that mount.fuse from fuse3 is backwards compatible as stated
by upstream [0] - if not this might break some /etc/fstab definitions
but that should be very unlikely).
My tests with sshfs (version 2 and 3) didn't show any problems.
See #28409 for some additional information.
[0]: https://github.com/libfuse/libfuse/releases/tag/fuse-3.0.0
|
| | |
|
| |
|
|
|
|
| |
:(
Fixes https://github.com/NixOS/nixpkgs/issues/28859
|
| |
|
|
| |
Fixes #28469
|
| |
|
|
|
|
|
|
| |
auditd creates an ordering cycle by adding wantedBy = [ "basic.target" ],
because of this the job job systemd-update-utmp.service/start is deleted.
Adding unitConfig.DefaultDependencies = false; to the auditd service unbreaks the cycle.
See also #11864
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
#11864 Support Linux audit subsystem
Add the auditd.service as NixOS module to be able to
generate profiles from /var/log/audit/audit.log
with apparmor-utils.
auditd needs the folder /var/log/audit to be present on start
so this is generated in ExecPreStart.
auditd starts with -s nochange so that effective audit processing
is managed by the audit.service.
|
| |\
| |
| | |
terminfo: symlink terminfo to /etc for ncurses
|
| | | |
|
| |/
|
|
|
|
| |
Ensures that parentWrapperDir exists before it is used.
Closes #26851
|
| | |
|
| |
|
|
|
| |
* Use literalExample for better readability
* Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
|
| |
|
|
|
|
|
|
|
| |
* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates
Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
|
| | |
|
| |
|
|
| |
I managed to miss this one somehow ... meh
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.
The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.
The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session. This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).
From an aestethic point of view, enabling this option helps make the
configuration more "declarative".
Closes https://github.com/NixOS/nixpkgs/pull/24681
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1]. Consequently, we can no longer
responsibly support grsecurity on NixOS.
This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother. For 17.09 all of it should
probably be pruned.
[1]: https://grsecurity.net/passing_the_baton.php
|
| |
|
| |
Fixes #24731.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reduces the time window during which IP addresses are gone during
switch-to-configuration. A complication is that with stopIfChanged =
true, preStop would try to delete the *new* IP addresses rather than
the old one (since the preStop script now runs after the switch to the
new configuration). So we now record the actually configured addresses
in /run/nixos/network/addresses/<interface>. This is more robust in
any case.
Issue https://github.com/NixOS/nixops/issues/640.
|
| |
|
|
|
|
|
|
| |
Commit 75f131da02c00027b9a8240fb74d117cb0f9d9cf added
`chown 'nginx:nginx' '/var/lib/acme'` to the pre-start script,
but since it doesn't use `chown -R`, it is possible that there
are older existing subdirs (like `acme-challenge`)
that are owned to `root` from before that commit went it.
|
| |
|
|
|
|
| |
This makes setuid wrappers not fail after upgrading.
references #23641, #22914, #19862, #16654
|
| |
|
|
|
|
|
|
| |
migration pain"
This reverts commit 4c751ced376e0042ddd4f2aa8bd40754b9ea8926.
This does not fix the issue as /run is now mounted with nosuid.
|
| |\
| |
| | |
security-wrapper: Don't remove the old paths yet as that can create migration pain
|
| | |
| |
| |
| | |
migration pain
|
| | |
| |
| |
| | |
cc #23396
|
| | |
| |
| |
| |
| |
| |
| | |
They contain no useful information and increase the length of the
autogenerated options documentation.
See discussion in #18816.
|
| | |
| |
| | |
Hence, the init/cleanup service only runs when the dhparams module is enabled.
|
| |/ |
|
| |
|
|
| |
Closes https://github.com/NixOS/nixpkgs/pull/23515
|
| |
|
|
| |
- There is no such thing as KDE 5
|
| |\
| |
| | |
dhparams module: initialize
|
| | | |
|
| | |
| |
| |
| | |
Broken in 628e6a8. Fixes #23083.
|
| | |
| |
| |
| |
| | |
Also remove some compatibility code because the directory in question would be
shadowed by a mountpoint anyway.
|
| |\ \
| | |
| | | |
nixos: add programs.wireshark option
|
| | | | |
|
| |\ \ \
| |/ /
|/| | |
Use attrsOf in place of loaOf when relevant
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
* The source attribute is mandatory, not optional
* The program attribute is optional
* Move the info about the mandatory attribute first (most important,
IMHO)
|
| | | |
| | |
| | |
| | |
| | | |
It's much more readable when the example attrset is pretty printed
instead of written as one line.
|
| | | |
| | |
| | |
| | | |
The option doesn't exist anymore.
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|