Commit message (Collapse) | Author | Age | |
---|---|---|---|
* | Merge pull request #291951 from amarshall/zfs-pkgs-renaming | Adam C. Stephens | 2024-03-01 |
|\ | | | | | zfs: rename zfsStable -> zfs_2_2; zfsUnstable -> zfs_unstable; remove enableUnstable option in favor of package | ||
| * | nixos/pam: Do not incorrectly use zfs.enableUnstable in assertion | Andrew Marshall | 2024-02-27 |
| | | | | | | | | | | `zfs.enableUnstable` only has an effect if `zfs.enabled = true`, so only require `zfs.enabled` to be true here. | ||
* | | nixos/pam/kwallet: rename option, allow setting package | K900 | 2024-02-28 |
|/ | |||
* | Merge pull request #286857 from RaitoBezarius/cacerts | Ryan Lahfa | 2024-02-11 |
|\ | | | | | nixos/security/ca: enable support for compatibility bundles | ||
| * | nixos/security/ca: enable support for compatibility bundles | Raito Bezarius | 2024-02-11 |
| | | | | | | | | | | | | | | | | | | | | Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use our NixOS CA bundle. For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional trust rules. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> | ||
* | | pam_usb, nixos/pam-usb: drop | Raito Bezarius | 2024-02-08 |
| | | | | | | | | `security.pam.usb` is broken anyway and upstream has abandoned the software. | ||
* | | nixos/acme: default to lets encrypt production URL instead of null, mention ↵ | Sandro | 2024-02-06 |
|/ | | | | lets encrypt staging URI (#270221) | ||
* | nixos/pam: Add pam_intune | Rhys Davies | 2024-02-02 |
| | |||
* | Merge pull request #285587 from edef1c/wrapper-cve-2023-6246 | Pierre Bourdon | 2024-02-01 |
|\ | | | | | nixos/modules/security/wrappers: limit argv0 to 512 bytes | ||
| * | nixos/modules/security/wrappers: limit argv0 to 512 bytes | edef | 2024-02-01 |
| | | | | | | | | | | | | This mitigates CVE-2023-6246, crucially without a mass-rebuild. Change-Id: I762a0d489ade88dafd3775d54a09f555dc8c2527 | ||
* | | nixos/pam: remove pam_cgfs | Adam Stephens | 2024-01-31 |
|/ | | | | | pam_cgfs is a cgroups-v1 pam module. Verified with upstream that this module no longer necessary on cgroups-v2 systems. | ||
* | nixos/acme: fix assertion for renamed option | éclairevoyant | 2024-01-19 |
| | |||
* | fix semi-colon missing | mian | mian | 2024-01-18 |
| | |||
* | Merge pull request #243169 from 2xsaiko/outgoing/krb5 | Peder Bergebakken Sundt | 2024-01-10 |
|\ | | | | | nixos/krb5: cleanup, fix and RFC42-ify | ||
| * | nixos/krb5: add h7x4 as maintainer | Marco Rebhan | 2023-12-21 |
| | | |||
| * | nixos/krb5: add myself as maintainer for module & tests | Marco Rebhan | 2023-12-21 |
| | | |||
| * | nixos/krb5: move to security.krb5 | Marco Rebhan | 2023-12-21 |
| | | |||
* | | nixos/pam: Fix use of renamed `enableSSHAgentAuth` option | nicoo | 2024-01-08 |
| | | |||
* | | Merge pull request #277620 from nbraud/nixos/pam/ssh-agent-auth-31611 | Maciej Krüger | 2024-01-08 |
|\ \ | | | | | | | nixos/pam: Add option for ssh-agent auth's trusted authorized_keys files | ||
| * | | nixos/sudo: Remove unused `enableSSHAgentAuth` let-binding | nicoo | 2024-01-04 |
| | | | |||
| * | | nixos/pam: Warn on insecure `sshAgentAuth` configurations | nicoo | 2024-01-04 |
| | | | |||
| * | | nixos/pam: Add `sshAgentAuth.authorizedKeysFiles` option | nicoo | 2024-01-03 |
| | | | |||
| * | | nixos/pam: Rename option `enableSSHAgentAuth` to `sshAgentAuth.enable` | nicoo | 2024-01-03 |
| | | | |||
* | | | Merge pull request #276499 from nbraud/nixos/pam/ssh-agent-auth | Maciej Krüger | 2024-01-07 |
|\ \ \ | |/ / |/| | | nixos/pam: Add assertion for SSH-agent auth | ||
| * | | nixos/pam: Assert that `authorizedKeysFiles` is non-empty when using ↵ | nicoo | 2023-12-30 |
| | | | | | | | | | | | | `pam_ssh_agent_auth` | ||
* | | | nixos/auditd: fix typo | Maciej Krüger | 2024-01-01 |
|/ / | | | | | | | | | | | | | | | | | Would otherwise fail with ``` error: A definition for option `systemd.services.auditd.conflicts."[definition 1-entry 1]"' is not of type `string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)'. Definition values: - In `/nix/store/x2khl2yx0vz2i357x7mz5xm1kagql8ag-source/nixos/modules/security/auditd.nix': "shutdown.target " ``` | ||
* | | nixos/wrappers: order service after sysusers service | nikstur | 2023-12-29 |
| | | |||
* | | nixos/ipa: replace activationScript | nikstur | 2023-12-29 |
| | | | | | | | | Replaced with a dedicated systemd service. | ||
* | | Merge pull request #271326 from philiptaron/shutdown.target | nikstur | 2023-12-27 |
|\ \ | | | | | | | treewide: depend on `shutdown.target` if `DefaultDependencies=no` in almost every case | ||
| * | | nixos/suid-sgid-wrappers: ensure correct ordering w.r.t. shutdown.target | Philip Taron | 2023-11-30 |
| | | | |||
| * | | nixos/duosec: ensure correct ordering w.r.t. shutdown.target | Philip Taron | 2023-11-30 |
| | | | |||
| * | | nixos/auditd: ensure correct ordering w.r.t. shutdown.target | Philip Taron | 2023-11-30 |
| | | | | | | | | | | | | | | | This looks like it's got a few other idiosyncrasies, but I'll leave it alone for now. | ||
| * | | nixos/apparmor: ensure correct ordering w.r.t. shutdown.target | Philip Taron | 2023-11-30 |
| | | | |||
* | | | nixos/wrapper: add basename of the wrapped program to the wrappers name to ↵ | Sandro Jäckel | 2023-12-24 |
| | | | | | | | | | | | | | | | | | | easily identify it Also fix the comment with test instructions | ||
* | | | nixos/sudo-rs: Removed unused let-binding | nicoo | 2023-12-24 |
| |/ |/| | | | | | Leftover from bcc2d1238a1c97347518812f224921d29aa3b3f8 | ||
* | | Merge pull request #270224 from SuperSandro2000/patch-2 | pennae | 2023-12-11 |
|\ \ | |/ |/| | nixos/acme: add syntax highlighting to code blocks | ||
| * | nixos/acme: add syntax highlighting to code blocks | Sandro | 2023-12-10 |
| | | |||
* | | Merge pull request #261702 from h7x4/replace-mkoption-with-mkpackageoption | Weijia Wang | 2023-11-30 |
|\ \ | | | | | | | treewide: use `mkPackageOption` | ||
| * | | treewide: use `mkPackageOption` | h7x4 | 2023-11-27 |
| |/ | | | | | | | | | This commit replaces a lot of usages of `mkOption` with the package type, to be `mkPackageOption`, in order to reduce the amount of code. | ||
* | | nixos/sudo-rs: Move support for `pam_ssh_agent_auth(8)` to PAM's NixOS module | nicoo | 2023-11-25 |
| | | | | | | | | Similar to delroth's suggestion in #262790. | ||
* | | nixos/sudo-rs: Clarify `security.sudo-rs.enable`'s description | nicoo | 2023-11-25 |
| | | |||
* | | nixos/sudo-rs: Refactor option definitions | nicoo | 2023-11-25 |
| | | |||
* | | nixos/sudo-rs: refactor processing of `cfg.extraRules` | nicoo | 2023-11-25 |
| | | |||
* | | nixos/sudo-rs: Fix bug putting the wrong version of sudo in ↵ | nicoo | 2023-11-25 |
| | | | | | | | | `environment.systemPackages` | ||
* | | nixos/sudo-rs: Drop checks for sudo implementation | nicoo | 2023-11-25 |
| | | |||
* | | nixos/sudo-rs: uniformize ssh-agent auth behaviour with `security.sudo` | nicoo | 2023-11-25 |
| | | |||
* | | nixos/sudo-rs: Simplify activation | nicoo | 2023-11-25 |
|/ | |||
* | treewide: replace broken udev paths with systemd | ners | 2023-11-21 |
| | |||
* | nixos/acme: do not eat Let's Encrypt's request limits if misconfigured on ↵ | Léo Gaspard | 2023-11-14 |
| | | | | first try (#266155) | ||
* | nixos/sudo: Update assertion message | nicoo | 2023-11-14 |
| |