| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
#11864 Support Linux audit subsystem
Add the auditd.service as NixOS module to be able to
generate profiles from /var/log/audit/audit.log
with apparmor-utils.
auditd needs the folder /var/log/audit to be present on start
so this is generated in ExecPreStart.
auditd starts with -s nochange so that effective audit processing
is managed by the audit.service.
|
| |\
| |
| | |
terminfo: symlink terminfo to /etc for ncurses
|
| | | |
|
| |/
|
|
|
|
| |
Ensures that parentWrapperDir exists before it is used.
Closes #26851
|
| | |
|
| |
|
|
|
| |
* Use literalExample for better readability
* Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
|
| |
|
|
|
|
|
|
|
| |
* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates
Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
|
| | |
|
| |
|
|
| |
I managed to miss this one somehow ... meh
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.
The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.
The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session. This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).
From an aestethic point of view, enabling this option helps make the
configuration more "declarative".
Closes https://github.com/NixOS/nixpkgs/pull/24681
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1]. Consequently, we can no longer
responsibly support grsecurity on NixOS.
This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother. For 17.09 all of it should
probably be pruned.
[1]: https://grsecurity.net/passing_the_baton.php
|
| |
|
| |
Fixes #24731.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reduces the time window during which IP addresses are gone during
switch-to-configuration. A complication is that with stopIfChanged =
true, preStop would try to delete the *new* IP addresses rather than
the old one (since the preStop script now runs after the switch to the
new configuration). So we now record the actually configured addresses
in /run/nixos/network/addresses/<interface>. This is more robust in
any case.
Issue https://github.com/NixOS/nixops/issues/640.
|
| |
|
|
|
|
|
|
| |
Commit 75f131da02c00027b9a8240fb74d117cb0f9d9cf added
`chown 'nginx:nginx' '/var/lib/acme'` to the pre-start script,
but since it doesn't use `chown -R`, it is possible that there
are older existing subdirs (like `acme-challenge`)
that are owned to `root` from before that commit went it.
|
| |
|
|
|
|
| |
This makes setuid wrappers not fail after upgrading.
references #23641, #22914, #19862, #16654
|
| |
|
|
|
|
|
|
| |
migration pain"
This reverts commit 4c751ced376e0042ddd4f2aa8bd40754b9ea8926.
This does not fix the issue as /run is now mounted with nosuid.
|
| |\
| |
| | |
security-wrapper: Don't remove the old paths yet as that can create migration pain
|
| | |
| |
| |
| | |
migration pain
|
| | |
| |
| |
| | |
cc #23396
|
| | |
| |
| |
| |
| |
| |
| | |
They contain no useful information and increase the length of the
autogenerated options documentation.
See discussion in #18816.
|
| | |
| |
| | |
Hence, the init/cleanup service only runs when the dhparams module is enabled.
|
| |/ |
|
| |
|
|
| |
Closes https://github.com/NixOS/nixpkgs/pull/23515
|
| |
|
|
| |
- There is no such thing as KDE 5
|
| |\
| |
| | |
dhparams module: initialize
|
| | | |
|
| | |
| |
| |
| | |
Broken in 628e6a8. Fixes #23083.
|
| | |
| |
| |
| |
| | |
Also remove some compatibility code because the directory in question would be
shadowed by a mountpoint anyway.
|
| |\ \
| | |
| | | |
nixos: add programs.wireshark option
|
| | | | |
|
| |\ \ \
| |/ /
|/| | |
Use attrsOf in place of loaOf when relevant
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
* The source attribute is mandatory, not optional
* The program attribute is optional
* Move the info about the mandatory attribute first (most important,
IMHO)
|
| | | |
| | |
| | |
| | |
| | | |
It's much more readable when the example attrset is pretty printed
instead of written as one line.
|
| | | |
| | |
| | |
| | | |
The option doesn't exist anymore.
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| |\ \ \ |
|
| | | |/
| |/| |
|
| | | |
| | |
| | |
| | |
| | | |
Fix minor formatting issues, excessive punctuation, and also some
improved wording.
|
| | | |
| | |
| | |
| | | |
being set (or not)
|