Vladimír Čunát
d6b46ecb30
Merge branch 'closure-size' into p/default-outputs
2016-03-14 11:27:15 +01:00
Vladimír Čunát
09af15654f
Merge master into closure-size
...
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00
Leroy Hopson
24d5d28820
cacert: fix formatting of example
2016-02-27 22:25:39 +13:00
zimbatm
2c7e5a6d8e
Merge pull request #13434 from spacefrogg/oath-module
...
config.security.oath: new module
2016-02-26 18:06:28 +00:00
tg(x)
629a89343e
simp_le: external_pem.sh plugin is now called external.sh
2016-02-26 01:31:58 +01:00
Michael Raitza
d09c7986de
config.security.oath: new module
...
Add a module to make options to pam_oath module configurable.
These are:
- enable - enable the OATH pam module
- window - number of OTPs to check
- digits - length of the OTP (adds support for two-factor auth)
- usersFile - filename to store OATH credentials in
2016-02-25 13:52:45 +00:00
Vladimír Čunát
e9520e81b3
Merge branch 'master' into staging
2016-02-17 10:06:31 +01:00
Vladimír Čunát
d039c87984
Merge branch 'master' into closure-size
2016-02-14 08:33:51 +01:00
Nikolay Amiantov
c420a6f1ef
acme service: update plugins enum
2016-02-10 02:06:01 +03:00
Vladimír Čunát
ae74c356d9
Merge recent 'staging' into closure-size
...
Let's get rid of those merge conflicts.
2016-02-03 16:57:19 +01:00
Guillaume Maudoux
9f358f809d
Configure a default trust store for openssl
2016-02-03 12:42:01 +01:00
Eelco Dolstra
bfebc7342e
Fix some references to deprecated /etc/ssl/certs/ca-bundle.crt
2016-01-29 02:32:05 +01:00
Vladimír Čunát
ab8a691d05
nixos systemPackages: rework default outputs
...
- Now `pkg.outputUnspecified = true` but this attribute is missing in
every output, so we can recognize whether the user chose or not.
If (s)he didn't choose, we put `pkg.bin or pkg.out or pkg` into
`systemPackages`.
- `outputsToLink` is replaced by `extraOutputsToLink`.
We add extra outputs *regardless* of whether the user chose anything.
It's mainly meant for outputs with docs and debug symbols.
- Note that as a result, some libraries will disappear from system path.
2016-01-28 11:24:18 +01:00
Eelco Dolstra
2352e2589e
audit: Disable in containers
...
This barfs:
Jan 18 12:46:32 machine 522i0x9l80z7gw56iahxjjsdjp0xi10q-audit-start[506]: The audit system is disabled
2016-01-26 16:25:40 +01:00
Tuomas Tynkkynen
8707bf4a3c
treewide: Mass replace 'libcap}/lib' to refer the 'out' output
2016-01-24 10:03:35 +02:00
Tuomas Tynkkynen
f412f5f3ee
treewide: Mass replace 'attr}/lib' to refer the 'out' output
2016-01-24 10:03:32 +02:00
Vladimír Čunát
716aac2519
Merge branch 'staging' into closure-size
2016-01-19 09:55:31 +01:00
Domen Kožar
7fe7138968
nixos: fix acme service @abbradar
2016-01-12 11:50:34 +01:00
Nikolay Amiantov
f92cec4c1b
nixos/acme: add allowKeysForGroup
2016-01-10 07:28:19 +03:00
Dan Peebles
63bfe20b72
security.audit: add NixOS module
...
Part of the way towards #11864 . We still don't have the auditd
userland logging daemon, but journald also tracks audit logs so we
can already use this.
2016-01-07 03:06:10 +00:00
Vladimír Čunát
f9f6f41bff
Merge branch 'master' into closure-size
...
TODO: there was more significant refactoring of qtbase and plasma 5.5
on master, and I'm deferring pointing to correct outputs to later.
2015-12-31 09:53:02 +01:00
Nikolay Amiantov
5250582396
nixos/acme: fix timer unit
2015-12-13 17:01:59 +03:00
Franz Pletz
1685b9d06e
nixos/acme: Add module documentation
2015-12-12 16:06:53 +01:00
Franz Pletz
9374ddb895
nixos/acme: validMin & renewInterval aren't cert-specific
2015-12-12 16:06:53 +01:00
Franz Pletz
0517d59a66
nixos/acme: Improve documentation
2015-12-12 16:06:52 +01:00
Franz Pletz
de24b00d41
nixos/simp_le: Rename to security.acme
2015-12-12 16:06:52 +01:00
Luca Bruno
31ed92f65f
Fix system-path with multiout
2015-12-01 15:09:41 +01:00
Luca Bruno
920b1d3591
Merge branch 'master' into closure-size
2015-11-29 16:50:26 +01:00
Luca Bruno
07a0204282
nixos/polkit: fix systemd service after spiltting
2015-11-26 18:14:22 +01:00
obadz
a05a340e26
PAM: reorganize the way pam_ecryptfs and pam_mount get their password
...
Run pam_unix an additional time rather than switching it from sufficient
to required. This fixes a potential security issue for
ecryptfs/pam_mount users as with pam_deny gone, if cfg.unixAuth = False
then it is possible to login without a password.
2015-11-21 21:10:40 +00:00
Tuomas Tynkkynen
d5c9e1aebe
nixos/polkit: Reference correct output of polkit
2015-10-28 10:17:10 +01:00
Vladimír Čunát
2490848627
polkit: split dev and bin outputs
2015-10-14 14:32:26 +02:00
Tuomas Tynkkynen
1ac0e05f69
nixos/setuid-wrappers: Build with normal mkDerivation phases
...
This way the binary gets stripped & rpath-shrinked etc. as usual.
We'd seem to get a runtime reference to gcc otherwise.
2015-10-03 14:08:55 +02:00
Vladimír Čunát
5227fb1dd5
Merge commit staging+systemd into closure-size
...
Many non-conflict problems weren't (fully) resolved in this commit yet.
2015-10-03 13:33:37 +02:00
Jan Malakhovski
6eadb16022
nixos: fix some types
2015-09-18 18:48:50 +00:00
Tobias Geerinckx-Rice
c90eb862fc
nixos: prey module: fix option descriptions
2015-09-06 23:50:03 +02:00
Jaka Hudoklin
c7bb64cb97
Merge pull request #7344 from joachifm/apparmor-pam
...
nixos: add AppArmor PAM support
2015-08-29 18:59:53 +02:00
obadz
172522e153
ecryptfs:
...
- upgrade 106 -> 108
- fix passphrase rewrapper (password changing should now work fine) as
discussed on https://bugs.launchpad.net/ecryptfs/+bug/1486470
- add lsof dependency so ecryptfs-migrate-home should work out of the
box
2015-08-19 12:16:57 +01:00
Joachim Fasting
2e0933787b
nixos: add AppArmor PAM support
...
Enables attaching AppArmor profiles at the user/group level.
This is not intended to be used directly, but as part of a
role-based access control scheme. For now, profile attachment
is 'session optional', but should be changed to 'required' once
a more comprehensive solution is in place.
2015-07-15 12:40:06 +02:00
William A. Kennington III
d605663ae2
Merge branch 'master.upstream' into staging.upstream
2015-07-05 13:06:02 -07:00
Thomas Strobel
7b6f279142
pam_mount module: integrate pam_mount into PAM of NixOS
2015-07-04 23:42:31 +02:00
William A. Kennington III
8e19ac8d7c
Merge branch 'master.upstream' into staging.upstream
2015-06-17 11:57:40 -07:00
Eelco Dolstra
6e6a96d42c
Some more type cleanup
2015-06-15 18:18:46 +02:00
William A. Kennington III
9d6555dc0a
Merge branch 'master.upstream' into staging.upstream
2015-06-06 12:04:42 -07:00
William A. Kennington III
ffd0539eba
cacert: store ca-bundle.crt in $out/etc/ssl/certs instead of $out
2015-06-05 13:00:52 -07:00
William A. Kennington III
867d2c5c46
openssl: Remove References to OPENSSL_X509_CERT_FILE
2015-05-31 15:50:51 -07:00
William A. Kennington III
d6cbb061e3
cacert: Build directly from nss instead of our own tarball
2015-05-29 13:52:07 -07:00
Ricardo M. Correia
aa75bb25d8
grsecurity: Update stable and test patches
...
stable: 3.1-3.14.41-201505072056 -> 3.1-3.14.41-201505101121
test: 3.1-4.0.2-201505072057 -> 3.1-4.0.2-201505101122
2015-05-11 02:45:38 +02:00
Vladimír Čunát
3b9ef2c71b
fix "libc}/lib" and similar references
...
Done mostly without any verification.
I didn't bother with libc}/include, as the path is still correct.
2015-05-05 11:52:08 +02:00
Philip Potter
2216728979
add support for pam_u2f to nixos pam module
...
This adds support for authenticating using a U2F device such as a
yubikey neo.
2015-05-03 19:22:00 +01:00