Lin Jian
74fadae942
treewide: stop using types.string
...
It is an error[1] now.
[1]: https://github.com/NixOS/nixpkgs/pull/247848
2023-08-08 21:31:21 +08:00
ajs124
bf4d2e6c1e
Merge pull request #242538 from tnias/fix/apparmor
...
apparmor: add some policies and improve abstractions and utils
2023-08-04 13:05:52 +02:00
Philipp Bartsch
0f474b4c6c
nixos/apparmor: support custom i18n glibc locales
...
The i18n nixos module creates a customized glibcLocales package.
Use the system specific glibcLocale instead of the vanilla one.
2023-07-12 21:38:31 +02:00
Philipp Bartsch
ad7ffe3a7c
nixos/apparmor: fix syntax in abstractions/bash
2023-07-09 22:25:30 +02:00
Philipp Bartsch
9145e6df84
nixos/apparmor: add missing abstraction/nss-systemd
...
The abstraction/nameservice profile from apparmor-profiles package
includes abstractions/nss-systemd. Without "reexporting" it,
the include fails and we get some errors.
2023-07-09 22:21:44 +02:00
Jacob Moody
5f97e78c64
pam_dp9ik: init at 1.5
2023-07-09 14:12:21 -05:00
Philipp Bartsch
0eabede44b
nixos/apparmor: make abstractions/ssl_certs more go friendly
...
By default golang's crypto/x509 implementation wants to read
/etc/pki/tls/certs/ when loading system certificates.
This patch adds the path to reduce audit log noise.
Relevant code:
- https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_unix.go#L32-L82
- https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_linux.go#L17-L22
2023-07-08 00:53:27 +02:00
Michael Hoang
98d970bc37
nixos/qemu-vm: use CA certificates from host
2023-07-06 21:32:08 +10:00
Felix Buehler
933a41a73f
treewide: use optional instead of 'then []'
2023-06-25 09:11:40 -03:00
Max
34a4165674
nixos/pam: support Kanidm
2023-06-11 17:17:42 +02:00
Jenny
0adbf8feb4
nixos/pam_mount: fix mounts without options ( #234026 )
...
This commit adds a comma in front of the given options, which makes the
mounts still succeed even if no options are given.
Fixes #233946
2023-05-25 22:45:59 +02:00
Jenny
7abd408b7f
nixos/pam_mount: fix cryptmount options ( #232873 )
...
There was a bug in the pam_mount module that crypt mount options were
not passed to the mount.crypt command. This is now fixed and
additionally, a cryptMountOptions NixOS option is added to define mount
options that should apply to all crypt mounts.
Fixes #230920
2023-05-20 17:40:36 +02:00
Robert Hensing
25f227fc67
Merge pull request #231316 from hercules-ci/nixos-system.checks
...
NixOS: add `system.checks`
2023-05-15 23:16:29 +02:00
Nick Cao
1de301aef3
Merge pull request #231954 from mac-chaffee/acme-ipv6
...
nixos/security/acme: Fix listenHTTP bug with IPv6 addresses
2023-05-15 07:30:57 -06:00
Raito Bezarius
3f446bfbd3
nixos/pam: fix ZFS support assertion
...
It was always complaining even if you didn't enable PAM ZFS.
2023-05-15 12:06:04 +02:00
Nicola Squartini
87cbaf7ce3
nixos/pam: assert ZFS support for PAM module
2023-05-15 09:22:42 +02:00
Nicola Squartini
5466f76755
nixos/pam: improve documentation of ZFS module
2023-05-15 09:22:39 +02:00
Nicola Squartini
09f4bf7f16
nixos/pam: enable unlocking ZFS home dataset
2023-05-15 09:20:40 +02:00
Mac Chaffee
33b15fdce0
security/acme: Fix listenHTTP bug with IPv6 addresses
2023-05-14 20:27:52 -04:00
Robert Hensing
2e2f0d28ea
nixos: Use checks instead of extraDependencies
...
... as appropriate.
This drops a few unnecessary store paths from the system closure.
2023-05-11 21:18:38 +02:00
Ryan Lahfa
fe7b996d66
Merge pull request #230857 from s1341/bugfix_pam_sssd
...
nixos/pam: Allow password changing via sssd
2023-05-10 16:56:47 +02:00
fetsorn
5e77899001
nixos/tpm2: fix typo
...
"acess" -> "access"
2023-05-09 18:02:17 +04:00
fetsorn
ac5f6d9100
nixos/apparmor: fix typo
...
"usualy" -> "usually"
2023-05-09 18:02:17 +04:00
s1341
e2d538fead
pam: remove unused try_first_pass
2023-05-09 13:45:15 +03:00
s1341
765ae4d581
nixos/pam: allow changing password using sssd
2023-05-09 13:43:06 +03:00
Nick Cao
3e3d82f42c
Merge pull request #227232 from datafoo/nixos-acme-fix-options-type
...
nixos/acme: fix options type
2023-04-24 10:01:04 +08:00
Artturi
b83db86a9e
Merge pull request #222080 from Stunkymonkey/nixos-optionalString
2023-04-20 16:07:30 +03:00
datafoo
2890af5e4b
nixos/acme: fix options type
...
null is a possible default so the type must reflect that.
2023-04-20 11:52:57 +02:00
Felix Buehler
327b0cff7a
treewide: use more lib.optionalString
2023-04-07 13:38:33 +02:00
Benjamin Staffin
ff296a777e
Merge pull request #207115 from s1341/init_freeipa
...
freeipa: init at 4.10.1
2023-03-30 13:15:18 -04:00
github-actions[bot]
d761f69867
Merge master into staging-next
2023-03-17 17:57:00 +00:00
Savyasachee Jha
4177ddcfd6
doas: refactor config generation
...
According to Ted Unangst, since doas evaluates rules in a last
matched manner, it is prudent to have the "permit root to do everything
without a password at the end of the file.
Source: https://flak.tedunangst.com/post/doas-mastery
2023-03-17 09:05:08 -07:00
github-actions[bot]
455127ad5e
Merge master into staging-next
2023-03-16 18:01:20 +00:00
s1341
6d299334b0
nixos/freeipa: init
2023-03-16 08:40:13 +02:00
Martin Weinelt
4472cf44eb
treewide: Make yescrypt the default algorithm for pam_unix.so
...
This ensures `passwd` will default to yescrypt for newly generated
passwords.
2023-03-13 07:54:27 +01:00
Felix Buehler
d10e69c86b
treewide: deprecate isNull
...
https://nixos.org/manual/nix/stable/language/builtins.html#builtins-isNull
2023-03-06 22:40:04 +01:00
Winter
ee6517a915
Revert "nixos/polkit: guard static gid for polkituser behind state version"
...
This reverts commit 2265160fc0
and
e56db577a1
.
Ideally, we shouldn't cause friction for users that bump `stateVersion`,
and I'd consider having to switch and/or manually hardcode a UID/GID
to supress the warning friction. I think it'd be more beneficial to, in
this rare case of an ID being missed, just let it be until more
discussion happens surrounding this overall issue.
See https://github.com/NixOS/nixpkgs/pull/217785 for more context.
2023-02-25 22:32:16 -05:00
Nick Cao
2265160fc0
nixos/polkit: guard static gid for polkituser behind state version
2023-02-23 17:07:49 +08:00
1sixth
e56db577a1
nixos/polkit: set static gid for polkituser
...
polkituser needs a group since https://github.com/NixOS/nixpkgs/pull/130522 .
2023-02-22 08:46:55 +08:00
pennae
bf4c0c1900
nixos/*: remove trailing period in mkEnableOptions
...
those are added by mkEnableOption, and .. is replaced to … by markdown
processing.
2023-02-08 15:23:34 +01:00
pennae
0a6e6cf7e6
nixos/manual: render module chapters with nixos-render-docs
...
this converts meta.doc into an md pointer, not an xml pointer. since we
no longer need xml for manual chapters we can also remove support for
manual chapters from md-to-db.sh
since pandoc converts smart quotes to docbook quote elements and our
nixos-render-docs does not we lose this distinction in the rendered
output. that's probably not that bad, our stylesheet didn't make use of
this anyway (and pre-23.05 versions of the chapters didn't use quote
elements either).
also updates the nixpkgs manual to clarify that option docs support all
extensions (although it doesn't support headings at all, so heading
anchors don't work by extension).
2023-01-27 20:07:34 +01:00
Nick Cao
831ce5cb71
Merge pull request #211830 from sorpaas/patch-11
...
nixos/systemd-confinement: remove unused rootName
2023-01-22 16:25:44 +08:00
Naïm Favier
363158603a
nixos: fix backticks in Markdown descriptions
2023-01-21 18:08:38 +01:00
Wei Tang
ec8d74d58a
nixos/systemd-confinement: remove unused rootName
2023-01-20 22:39:16 +01:00
github-actions[bot]
49722fd14a
Merge master into staging-next
2023-01-13 18:01:34 +00:00
pennae
53fc887582
nixos/manual: move "edit the MD file" comments to generated XML
2023-01-10 12:34:37 +01:00
pennae
bf92eaebe4
nixos/manual: generate module chapters with md-to-db.sh
2023-01-10 10:32:00 +01:00
pennae
23ea73b416
nixos/manual: enable smart quotes for all MD chapters
2023-01-10 10:31:59 +01:00
pennae
53935b445f
nixos/acme: convert manual chapter to MD
2023-01-10 10:31:54 +01:00
pennae
6930425922
nixos/manual: normalize <literal><link> -> <link><literal>
...
MD can only do the latter, so change them all over now to keeps diffs reviewable.
this also includes <literal><xref> -> <xref> where options are referenced since
the reference will implicitly add an inner literal tag.
2023-01-10 10:31:52 +01:00