about summary refs log tree commit diff
path: root/nixos/modules/services/security
Commit message (Collapse)AuthorAge
* nixos/treewide: Move rename.nix imports to their respective modulesSilvan Mosberger2019-12-10
| | | | | | | | A centralized list for these renames is not good because: - It breaks disabledModules for modules that have a rename defined - Adding/removing renames for a module means having to find them in the central file - Merge conflicts due to multiple people editing the central file
* vault: fix config when file backend is usedEEva (JPotier)2019-11-05
| | | | | | When the option services.vault.storageBackend is set to "file", a systemd.tmpfiles.rules was added, with extraneous []. These are not needed and have been removed.
* treewide: Switch to system usersJanne Heß2019-10-12
|
* fprintd: 0.8.1 -> 0.9.0worldofpeace2019-09-17
| | | | | | | Resolves issues with StateDirectory not being set in systemd unit. https://gitlab.freedesktop.org/libfprint/fprintd/-/tags/V_0_9_0
* Merge branch 'master' into stagingVladimír Čunát2019-09-02
|\
| * nixos: remove dependencies on local-fs.targetFlorian Klink2019-09-01
| | | | | | | | | | | | | | Since https://github.com/NixOS/nixpkgs/pull/61321, local-fs.target is part of sysinit.target again, meaning units without DefaultDependencies=no will automatically depend on it, and the manual set dependencies can be dropped.
| * nixos/modules: Remove all usages of types.stringSilvan Mosberger2019-08-31
| | | | | | | | | | | | And replace them with a more appropriate type Also fix up some minor module problems along the way
* | Merge staging-next into stagingFrederik Rietdijk2019-08-31
|\|
| * vault: add raft backend to vault serviceDanielle Lancashire2019-08-28
| |
* | Merge staging-next into stagingFrederik Rietdijk2019-08-28
|\|
| * Merge pull request #63539 from ivan/usbguard-noxSarah Brofeldt2019-08-23
| |\ | | | | | | usbguard-nox: init at 0.7.4
| | * usbguard-nox: init at 0.7.4Ivan Kozik2019-06-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is just usbguard without the Qt GUI that brings in Qt dependencies. Remove pandoc to reduce closure size. The usbguard build appears to use it only for spell checking. Remove asciidoctor because 0.7.1 switched to asciidoc. But don't add a dependency on asciidoc, because that causes the build fails on external DTDs.
| * | Merge pull request #65995 from danderson/masterMarek Mahut2019-08-19
| |\ \ | | | | | | | | nixos/sshguard: create ipsets before starting, and clean up after stopping.
| | * | nixos/sshguard: create ipsets before starting, and clean up after stopping.David Anderson2019-08-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The fix for #62874 introduced a race condition on startup: the postStart commands that configure the firewall run concurrently with sshguard's creation of the ipsets that the rules depend on. Unfortunately iptables fails hard when referencing an ipset that doesn't exist, so this causes non-deterministic crashlooping until sshguard wins the race. This change fixes that race condition by always creating the ipset and reconfiguring the firewall before starting sshguard, so that the order of operations is always deterministic. This change also cleans up the ipsets on sshguard shutdown, so that removing sshguard from a running system doesn't leave state behind. Fixes #65985.
* | | | treewide: remove redundant quotesvolth2019-08-26
|/ / /
* / / nixos/modules: Replace all nested types.either's with types.oneOf'sSilvan Mosberger2019-08-08
|/ /
* | sshguard: do not create ipset in post-startAshish SHUKLA2019-07-27
| | | | | | | | | | | | | | | | | | Upstream switched to a different type of ipset table, whereas we create ipset in post-start which overrides upstream, and renders sshguard ineffective. Remove ipset creation from post-start, and let it get automatically by upstream script (sshg-fw-ipset) as part of startup
* | nixos/tor: fix obfs4 packagefuwa2019-07-19
|/
* nixos: add StateDirectory for fprintdMichael Peyton Jones2019-05-26
|
* Merge pull request #61546 from cizra/libfprint-vfs0090worldofpeace2019-05-20
|\ | | | | libfprint: added a fork for Lenovo ThinkPad
| * fprintd: added option to use fork for Lenovo ThinkPadElmo Todurov2019-05-20
| |
* | Merge pull request #60406 from JohnAZoidberg/remove-isnullRobin Gloster2019-05-18
|\ \ | |/ |/| treewide: Remove usage of isNull
| * treewide: Remove usage of isNullDaniel Schaefer2019-04-29
| | | | | | | | isNull "is deprecated; just write e == null instead" says the Nix manual
* | Merge pull request #59480 from worldofpeace/fprintd-systemdworldofpeace2019-05-13
|\ \ | | | | | | nixos/fprintd: use systemd.packages
| * | nixos/fprintd: use systemd.packagesworldofpeace2019-04-14
| | | | | | | | | | | | Upstream has a systemd service.
* | | nixos tor: use obfs4proxy, make transport list customizableWill Dietz2019-05-01
| |/ |/|
* | nixos/sks: Fix another regression from ab5dcc7068bMichael Weiss2019-04-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The two directories KDB and PTree do not exist before the SKS DB is build for the first time. If /var/db/sks is empty and the module is enabled via "services.sks.enable = true;" the following error will occur: ...-unit-script-sks-db-pre-start[xxx]: ln: failed to create symbolic link 'KDB/DB_CONFIG': No such file or directory To avoid this both links have to be created after the DB is build. Note: Creating the directories manually might be better but the initial build might be skipped as a result: unit-script-sks-db-pre-start[xxxxx]: KeyDB directory already exists. Exiting. unit-script-sks-db-pre-start[xxxxx]: PTree directory already exists. Exiting.
* | nixos/sks: Fix the module (the pre-start script was broken)Michael Weiss2019-04-27
| | | | | | | | | | | | | | | | | | Unfortunately the changes in ab5dcc7068bfaca3a7a2eaa8ad824a86c2595681 introduced a typo (took me a while to spot that...) that broke the whole module (or at least the sks-db systemd unit). The systemd unit was failing with the following error message: ...-unit-script-sks-db-pre-start[xxx]: KDB/DB_CONFIG exists but is not a symlink.
* | nixos/bitwarden_rs: initMatthijs Steen2019-04-23
| |
* | nixos/vault: replace deprecated usage of PermissionsStartOnlyAaron Andersen2019-04-13
| | | | | | | | see https://github.com/NixOS/nixpkgs/issues/53852
* | nixos/munge: replace deprecated usage of PermissionsStartOnlyAaron Andersen2019-04-13
|/ | | | see https://github.com/NixOS/nixpkgs/issues/53852
* nixos/hologram-agent: /var/run -> /runBob van der Linden2019-03-24
|
* munge: fix module munge.key permissions from 0700 -> 0400 readonlyChris Ostrouchov2019-01-30
|
* Merge pull request #45567 from johanot/certmgr-rootca-patchFranz Pletz2019-01-30
|\ | | | | certmgr: Add patch for optional trust of self-signed certificates at remote cfssl apiserver
| * certmgr service: add package optionFranz Pletz2019-01-24
| |
* | nixos: add nginx-sso servicePierre Bourdon2019-01-29
| |
* | Merge pull request #54495 from peterhoeg/f/sshguardSilvan Mosberger2019-01-29
|\ \ | | | | | | nixos/sshguard: fix syslog identifiers and pid file
| * | nixos/sshguard: fix syslog ids, no more pid file, cleanupsPeter Hoeg2019-01-28
| |/ | | | | | | | | | | | | | | | | | | 1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted.
* / nixos/sks: Add option to configure database settingsElis Hirwing2019-01-28
|/ | | | This can be used for options to tweak the behavior around the database.
* nixos/tor: add HiddenServiceVersion optionJonas Nick2018-11-23
|
* nixos/munge: do not create unnecessary log dirMarkus Kowalewski2018-10-21
| | | | /var/log/munge is not used. All log messages go to syslog
* nixos/tor: better support non-anonymous servicesJean-Paul Calderone2018-10-17
| | | | | | | | Tor requires ``SOCKSPort 0`` when non-anonymous hidden services are enabled. If the configuration doesn't enable Tor client features, generate a configuration file that explicitly includes this disabling to allow such non-anonymous hidden services to be created (note that doing so still requires additional configuration). See #48622.
* nixos/clamav: fix freshclam service if db up to dateFranz Pletz2018-10-02
|
* nixos/clamav: fix daemon/updater services togglingFranz Pletz2018-10-02
|
* nixos/tor: Correct "transparent" typoJean-Paul Calderone2018-09-17
|
* nixos/sks: Make the webroot option optionalMichael Weiss2018-09-08
| | | | | | That way the built-in web server is usable by default but users can use $HOME/web directly (instead of having to use a symlink), if they want to customize the webpage.
* nixos/sks: Use a group and don't add sks to systemPackagesMichael Weiss2018-09-08
| | | | | | | | | | | | Without a group the gid will default to 65534 (2^16 - 2) which maps to "nogroup". IMO it makes more sense to explicitly set a valid group. Adding pkgs.sks to environment.systemPackages is not required (IIRC we want to avoid bloating environment.systemPackages). Instead it seems like a better idea to make the relevant binaries available to the user sks and enable useDefaultShell so that "su -l sks" can be used for manual interaction (that way the files will always have the correct owner).
* nixos/sks: Add a webroot optionMichael Weiss2018-09-08
| | | | | The module will now, by default, serve a simple webpage via the built-in web server (instead of displaying an error message).
* nixos/sks: Update the descriptions and add meta.maintainersMichael Weiss2018-09-08
| | | | TODO: Merge this module with https://github.com/NixOS/nixpkgs/pull/24516
* nixos/sks: Add a dataDir optionMichael Weiss2018-09-08
|
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-11 14:34:51 +0000